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Preface 



This volume contains selected papers from WADT 2002, the 16th International 
Workshop on Algebraic Development Techniques. Like its predecessors, WADT 
2002 focussed on the algebraic approach to the specification and development 
of systems, an area that was born around the algebraic specification of abstract 
data types and encompasses today the formal design of software systems, new 
specification frameworks and a wide range of application areas. 

WADT 2002 took place at the convent of Frauenchiemsee, Germany, on 
September 24-27, 2002, and was organized by Rolf Hennicker, Dirk Pattinson 
and Martin Wirsing. The workshop also included a special track on Formalism, 
Logic, Institution - Relating, Translating and Structuring (FLIRTS), and three 
satellite events: a meeting of the IFIP Working Group 1.3 on Foundations of Sys- 
tem Specification, a Workshop on Global Gomputing organized by the AGILE 
proiect, and a Workshop on Multimedia Instruction in Safe and Secure Systems 
(MMISS). 

The program consisted of invited talks by Egidio Astesiano (Genoa, Italy), 
Andrew Gordon (Gambridge, UK), and Jan Rutten (Amsterdam, The Nether- 
lands), and 44 presentations describing ongoing research on main topics of the 
workshop: formal methods for system development, specification languages and 
methods, systems and techniques for reasoning about specifications, specifica- 
tion development systems, methods and techniques for concurrent, distributed 
and mobile systems, and algebraic and co-algebraic foundations. 

The steering committee of WADT consisted of Michel Bidoit, Hans-Joerg 
Kreowski, Peter Mosses, Fernando Orejas, Francesco Parisi-Presicce, Donald 
Sannella, and Andrzej Tarlecki. With the help of Till Mossakowski for the 
FLIRTS track, and the local organizers, several papers were selected, and the 
authors were invited to submit a full paper for possible inclusion in the work- 
shop proceedings. All submissions underwent a careful refereeing process. The 
selection committee then made the final decisions. 

This volume contains the final versions of the 20 contributions that were 
accepted. It contains also two invited papers, those of Egidio Astesiano and 
Jan Rutten, and two invited presentations of the AGILE project on Software 
Architecture for Global Gomputing and of the MMISS project on Multimedia 
Instruction in Safe and Secure Systems. We are also proud to present in this 
volume the cantata “Zero, Gonnected, Empty” which was specially written for 
the banquet of the workshop. This cantata was composed by Ryoko Goguen 
with words by Joseph Goguen; an essay by these authors explains some of the 
thoughts behind the cantata. 

We are extremely grateful to all the referees who helped the selection com- 
mittee in reviewing the submissions: M. Gerioli, R. Diaconescu, J.A. Goguen, B. 
Hoffmann, M. Hofmann, S. Katsumata, R. Klempien-Hinrichs, B. Konikowska, 
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A. Kurz, D. Llywelyn, C. Liith, F. Nickl, P. Olveczky, C. Oriat, W. Pawlowski, 
G. Reggio, H. Reichel, M. Roggenbach, G. Rosu, and L. Schroder. 

The workshop was jointly organized by IFIP WG 1.3 (Foundations of Sys- 
tem Specification), GI Fachgruppe 0.1.7 (Specification and Semantics), and the 
Graduiertenkolleg “Logic in Gomputer Science” of LMU Munich and TU Mu- 
nich. WADT 2002 received generous sponsorship from the following organiza- 
tions: 

DFG (Deutsche Forschungsgemeinschaft) , 

Institut fiir Informatik, Ludwig-Maximilians-Universitat Miinchen 

Miinchner Universitatsgesellschaft 

As organizers of the workshop, we would like to express our deepest thanks 
to Sister Scholastica of the convent of Frauenchiemsee for hosting the work- 
shop with dedication and care, and for greatly facilitating the innumerable local 
organization tasks. Hubert Baumeister, Marianne Diem, Anton Fasching, Flo- 
rian Hacklinger, Piotr Kosiuczenko, Philipp Meier and several other members 
of the department provided invaluable help throughout the preparation and or- 
ganization of the workshop. We are grateful to Springer- Verlag for their helpful 
collaboration and quick publication. 

Finally, we thank all workshop participants both for lively discussions and 
for creating a friendly and warm atmosphere in spite of all the rain! 
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Abstract. Architecture-based approaches have been promoted as a 
means of controlling the complexity of system construction and evo- 
lution, in particular for providing systems with the agility required to 
operate in turbulent environments and to adapt very quickly to changes 
in the enterprise world. Recent technological advances in communication 
and distribution have made mobility an additional factor of complex- 
ity, one for which current architectural concepts and techniques can be 
hardly used. The AGILE project is developing an architectural approach 
in which mobility aspects can be modelled explicitly and mapped on 
the distribution and communication topology made available at physi- 
cal levels. The whole approach is developed over a uniform mathemat- 
ical framework based on graph-oriented techniques that support sound 
methodological principles, formal analysis, and refinement. This paper 
describes the AGILE project and some of the results gained during the 
first project year. 



1 Introduction 

Architecture-based approaches have been promoted as a means of controlling 
the complexity of system construction and evolution, in particular for providing 
systems with the agility that is required to operate in turbulent environments 
and to adapt very quickly to new business requirements, new design technologies, 
or even to changes in the enterprise world which, like mergers and acquisitions, 
require new levels of openness and interoperability. However, the architectural 
approach offers only a “logical” view of change; it does not take into account 

* This research has been partially sponsored by the EC 5th Framework project AGILE 
(IST-2001-32747) (www.pst . informatik.uni-muenchen.de/projekte/agile). 

M. Wirsing, D. Pattinson, and R. Hennicker (Eds.): WADT 2002, LNCS 2755, pp. 1—33, 2003. 

© Springer- Verlag Berlin Heidelberg 2003 
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the properties of the “physical” distribution topology of locations and commu- 
nication links. It relies on the fact that the individual components can perform 
the computations that are required to ensure the functionalities specified for 
their services at the locations in which they are placed, and that the coordina- 
tion mechanisms put in place through connectors can be made effective across 
the “wires” that link components in the underlying communication network. 
Whereas the mobility of computations is a problem that we are becoming to 
know how to address in the field of “Global Computation”, the effects of mo- 
bility on coordination are only now being recognised as an additional factor of 
complexity, one for which current architectural concepts and techniques are not 
prepared for. As components move across a network, the properties of the wires 
through which their coordination has to take place change as well, which might 
make the connectors in place ineffective and require that they be replaced with 
ones that are compatible with the new topology of distribution. In addition, 
updates on the communication infrastructure will lead, quite likely, to revisions 
of the coordination mechanisms in place, for instance to optimise performance. 

The AGILE project aims to contribute to the engineering of Global Gompu- 
tation and Goordination Systems. It is funded by EU initiative on “Global Gom- 
puting”. The partners of the AGILE project are Ludwig-Maximilians-Universitat 
Miinchen, Universita di Pisa, Universita di Firenze, Istituto di Scienze e Tec- 
nologie dell’Informazione “A. Faedo” GNR Pisa, ATX Software SA, Faculdade 
de Giencias da Universidade de Lisboa, and more recently the University of 
Warsaw and the University of Leicester. 

The objective of AGILE is to develop an architectural approach in which 
mobility aspects can be modelled explicitly as part of the application domain 
and mapped to the distribution and communication topology made available 
at physical levels. The whole approach is developed over a uniform mathemati- 
cal framework based on graph-oriented techniques that support sound method- 
ological principles, formal analysis, and refinement across levels of development. 
Application areas of AGILE include E-Business, Telecommunications, Wireless 
Applications, Traffic Gontrol Systems and decision support systems which need 
to collect global information. 

More precisely, AGILE pursues the following three main research topics: 

~ The development of primitives for explicitly addressing mobility within ar- 
chitectural models. This work is based on GommUnity and its categorical 
framework [17, 16] supporting software architectures on the basis of the sep- 
aration between “computation” and “coordination” with an additional di- 
mension for “distribution” . Gonsequently, primitives for the third dimension 
of “mobility”, are developed with which the distribution topology can be 
explicitly modelled and refined across different levels of abstraction. 

— The definition of algebraic models for the underlying evolution processes, 
relating the reconfiguration of the coordination structure and the mobility 
of components across the distribution topology. This work is based on graph 
transformation techniques [7] and Tile Logic [18], and is also the basis for 
logical analysis of evolution properties as well as for tools for animation and 
early prototyping. 
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— The development of an extension of UML for mobility that makes the ar- 
chitectural primitives available to practitioners, together with tools for sup- 
porting animation and early prototyping. 

The following main aspects are pursued in all three research topics: 

— analysis techniques for supporting compositional verification of properties 
addressing evolution of computation, coordination and distribution, and 

— refinement techniques for relating logical modelling levels with the distribu- 
tion and communication topology available at physical levels 

In this paper we give an introduction to the approach of the AGILE project 
and present some of the results gained during the first project year. In particular, 
we present extensions of three well-known formalisms to mobility: extensions of 
Community, of UML, and of Graph Transformation Systems. We also introduce 
an extension of Klaim, an experimental kernel programming language specifi- 
cally designed to model and to program distributed concurrent applications with 
code mobility. 

In the developed extension of CommUnity, primitives were added to Comm- 
unity that support the design of components that can perform computations in 
different locations and be interconnected to other components over a distributed 
and mobile network. Patterns of distribution and mobility of components (or 
groups of components) can be explicitly represented in architectures through 
a primitive called distribution connector. These patterns include coordination 
patterns that are location-dependent or even involve the management of the 
location of the coordinated parties. The semantics of the architectural aspects of 
this extension were developed over the categorical formalisation already adopted 
for GommUnity. 

The extensions of UML cover class diagrams, sequence diagrams, and activity 
diagrams. The idea for all of these extensions is similar to the idea of ambients 
or Maude, in that a mobile object can migrate from one host to another and 
it can be a host for other mobile objects. It may interact with other objects. 
Like a place, a mobile object can host other mobile objects, and it can locally 
communicate and receive messages from objects at other places. Objects can be 
arbitrarily nested, generalising the limited place-agent nesting of most agent and 
place languages. 

Graph Transformations Systems are used to give an operational semantics to 
the UML extensions. Object diagrams and the actions of activity diagrams are 
represented using Typed Hyperedge Replacement Systems. Each action of an ac- 
tivity diagram is modelled by a unique graph transformation rule. We can show 
that under suitable assumptions a set of graph transformation rules implements 
correctly the dependencies in an activity diagram. In case stronger synchronisa- 
tion is necessary, we use a specialisation of the tile model: Synchronised Typed 
Hyperedge Replacement Systems. 

As for Klaim, although designed for dealing with mobility of processes lo- 
cated over different sites of local area networks, it lacked specific primitives 
for properly handling open systems, namely systems with dynamically evolving 
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Fig. 1. Use Case diagram. 




Plane 



structures where new nodes can get connected or existing nodes can disconnect. 
In the paper we present OpenKlaim, an extension of Klaim with constructs 
for explicitly modeling connectivity between network nodes and for handling 
changes in the network topology. 

The paper is organised as follows. The next section introduces the airport 
case study, which serves as a running example for the material in the following 
sections. Section 3 presents our UML extensions for modelling mobile systems. 
Next, in Sect. 4 we present our research on the structural aspects of the architec- 
tural approach. The starting point for this research are CommUnity (Sect. 4.1) 
and Klaim (Sect. 4.2). Section 5 presents the way graph transformation and its 
synchronised version (which is a specific instance of the Tile Mode) can be used 
for the specification of a fragment of the airport case study. Finally, in Sect. 6 a 
conclusion and an outlook to future work is presented. 



2 The Airport Case Study 

As an example of mobile objects we consider planes landing and taking off from 
airports. These planes transport other mobile objects: passengers. In a simplified 
version of this scenario, departing passengers check in and board the plane. After 
the plane has arrived at the destination airport, passengers deplane, and claim 
their luggage. We consider also actions performed by the passengers during the 
flight, like the consumption of a meal, or making and publishing pictures. 

Figure 1 shows these requirements as a UML use case diagram. A use case 
diagram consists of use cases and actors. The identified actors are the Airport, 
the Passenger and the Plane. The actor Airport starts the use cases Departure 
and Arrival, which allow passengers to check in and to deplane, respectively, and 
allow planes to take off and land, respectively (included use cases TakingOff and 
Landing). Planes control the use case Flying. 
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The flow of events of a use case can either be detailed textually or graphically 
using UML activity diagrams or UML sequence diagrams. The objects involved 
and their classes are described by class diagrams. 

Parts of this case study serve as running example for the modelling techniques 
presented in the following sections. 

3 UML for Global Computation 

UML is extended using the extension mechanisms provided by the UML itself, 
i.e. stereotypes, tagged values and OCL constrains as well as by improvements 
in the visual representation used in activity and sequence diagrams. 

The objective of this research is to develop an extension of the UML to sup- 
port mobile and distributed system design. This includes linguistic extensions 
of the UML diagrammatic notations using the extension mechanisms provided 
by the UML itself, i.e. stereotypes, tagged values, and OCL constrains, as well 
as introducing new visual representations. Further, the objective includes exten- 
sions of the Unified Process and a prototype for simulating and analysing the 
dynamic behaviour of designs of mobile and distributed systems. 

In this section, we give a UML (Unified Modeling Language) [34] specification 
of the flight. The speciflcation consists of use case diagrams, class diagrams, 
activity diagrams and sequence diagrams. In the following we show only a part 
of the solution; a more comprehensive solution can be found in [3,27]. 

3.1 Class Diagrams 

We model the simplified airport problem domain using UML class diagrams. We 
identify the following classes: Airport, Plane, Flight, Passenger and Country, 
where: 

— Airport is an origin or destination location. 

— Flight is the trip that happens along a particular route on a particular day. 

— Plane is the machine that operates a flight. 

— Passenger is a person who is waiting for boarding a plane at an airport, is 
on a plane or has just arrived at the airport. 

— Country is a place where an airport is located. 

In our extension of class diagrams for mobility, we distinguish between objects 
and locations which are movable and which are not (cf. [3]). Movable objects 
are denoted with the UML stereotype «mobile», and objects which can serve 
as locations are indicated with the stereotype ^locations*. Movable objects and 
locations are required to have a unique attribute atLoc whose value is the location 
they are at. We require that the relation given by the atLoc attribute is acyclic. 
Note that this implies that locations form a hierarchy. 

We can only move objects and locations that are movable. In our example. 
Passenger and Plane are mobile objects. In addition. Plane has a location role, 
the same as Airport. The problem domain is visualised as a UML class diagram 
as it is shown in Fig. 2. Note that OCL constraints [34] can be attached to 
modelling elements to express semantic conditions. 
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Fig. 2. Class diagram of the airport example. 



3.2 Activity Diagrams 

In this section we introduce two variants of activity diagrams for modelling 
mobility. These diagrams were introduced in [3] . The first variant is responsibility 
centered and uses swimlanes to model who is responsible for an action. The 
second is location centered and uses the notation of composite objects to visualise 
the hierarchy of locations. 

A typical activity of mobile objects is the change of location, i.e., the change 
of the atLoc attribute. An object can move from one location to another. In 
our UML extension, we distinguish these activities by representing them as a 
stereotyped activity that we call «move». (cf. 4). Not included in the example, 
but not less important is the stereotyped activity called «clone» that first clones 
the object to be moved afterwards. 

Figure 3 shows the activity diagram corresponding to the Departure use case. 
Note that the fact that the plane can only take off if the passenger boarded and 
the luggage is loaded is expressed by the use of joins in the UML activity diagram. 
Compare this with the CommUnity approach presented in Sec. 4.1. Note that 
partitions marked with actor’s names are defined to organise responsibilities for 
these activities. Such an activity diagram with partitions gives a responsibility- 
centred view of the flow of events. 

Once the objects are identified, the activity diagrams can be enhanced with 
object flows, showing relationships among successive loci of control within the 
interaction. Figure 4 shows such an enhanced activity diagram. The objects are 
attached to the diagram at the point in the computation at which they are suit- 
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Fig. 3. Activity diagram of the departure sceuario. 
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Fig. 4. Activity diagram departure scenario: Responsibility centered view. 



able as an input or produced as an output. In our example, the in-going objects 
to an activity are very often the same as the outgoing. The corresponding state 
of the objects is specified in the square brackets (cf. objects Plane and Passenger 
in Fig. 4). This is what we call responsibility-centred view; the responsibilities 
are given by swimlanes and the locations are represented indirectly by object 
states. 
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Fig. 5. Activity diagram: Location centered view. 



We present here also another kind of view, the so called location-centred view, 
with the goal to visualise a location directly by object box containment: states of 
objects are not longer needed to represent locations. We eliminate the swimlanes 
and we place the activities inside the locations. This UML extension gives a direct 
presentation of the topology of locations. Figure 5 shows the Departure and the 
Flight scenario. 

3.3 Sequence Diagrams 

In this subsection we consider again a flight from Munich to Lisbon. We specify 
the flight from two different perspectives. The first perspective is the perspective 
of an observer in Munich. The second perspective refines the first one adding 
several details. We use here the extension of UML sequence diagrams proposed 
in [27] for modelling mobile objects. The behaviour of mobile objects is modelled 
by a generalised version of lifelines which allows us to represent directly the 
topology of locations within a sequence diagram. For different kinds of actions 
like creating, entering or leaving a mobile object stereotyped messages are used. 
This notation provides also a zoom-out, zoom-in facility allowing us to abstract 
from specification details. 

Figure 6 shows a simple story of a passenger x who boards an airplane in 
Munich airport, flies to Lisbon and publishes a picture in a WAN. The domain 
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Fig. 6. Sequence diagram with mobility. 



model of this sequence diagram is based on the class diagram of Fig. 2 and uses 
additionally the class Network. The story is described from the perspective of an 
observer on the German side. The person x together with other passengers enters 
the airport and then boards the airplane A7. The airplane flies to Lisbon (the 
flight number is 99) , but the only thing the observer can see is that the airplane 
is airborne, but not what happens inside the airplane nor further details of this 
flight. The next event which the observer is able to notice is the appearance of a 
picture in the WAN. To model several passengers (i.e. objects of class Passenger), 
we use the UML multi-object notation, which allows us to present in a compact 
way several passengers playing the same role. Person x is distinguished using the 
composition relationship. The observer does not care about the order in which 
the passengers board or leave the plain and what they do during the flight. We 
abstracted here also from the architecture of WAN and the person’s position. 
This simple view shows some of the barriers person x has to cross while flying 
from Munich to Lisbon. 

In the view presented in Fig 7, we show much more details. We show political 
boundaries which regulate the movement of people and devices, like airplanes, 
computers and so on. Within those boundaries, there are other boundaries like 
those protecting airports and single airplanes against intruders. Only people 
with appropriate passports and tickets may cross those boundaries. Therefore, 
in our model we make explicit those boundaries and moving across them. The 
airplane A7 is a very active mobile computing environment, full of people who 
are talking, working with their laptops, calling their families, making pictures 
or connecting to Web via phones/modems provided in the airplane. We can see 
here, what happens inside the airplane during the flight; the jump arrow contains 
the action box of the airplane A7. Passenger x makes pictures with his digital 
camera, the pictures are send then to the WAN. As usual, a digital camera 
does not allow him to send pictures directly to WAN. It is also forbidden to use 
mobile phones during the flight. Therefore the passenger safes the pictures to 
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Fig. 7. Sequence diagram with mobility: Zoom in. 



his notebook nb, logs into the onboard network and then transmits the pictures 
to WAN via the onboard network. We abstract here from the structure of the 
WAN network (indicated by dashed line). Let us point out that the sending 
of the picture by passenger x is not temporally related to crossing any border 
like those of Germany, or Munich and so on. The only thing we can say is that 
it happens between the start of the airplane and its landing. Finally, all the 
passengers leave the airplane and the airport. The passenger can see that the 
airplane is boarded by new passengers. 

3.4 Statechart Diagrams 

In this section we show the use UML statecharts for the design and the specifi- 
cation of the dynamic behaviour of the airport system. A statechart diagram is 
defined for each class of the model, providing a complete operational description 
of the behaviour of all the objects of the class. The full system is then represented 
by a set of class objects. The UML semantics [34, 37, 31, 38] associates to each 
active object a state machine, and the possible system behaviours are defined by 
the possible evolutions of these communicating state machines. All the possible 
system evolutions can be formally represented as a bi-labelled transition system 
in which the states represent the various system configurations and the edges 
the possible evolutions of a system configuration. The topology of the system 
is modelled by an atLoc attribute, associated to each class, which represents 
its locality. Mobility is realized by all the operations which update the atLoc 
attribute of an object (the «move» operations). 

The verification of the system is done with a prototypal “on-the-fiy” model 
checker (UMC) (cf. [20]) for UML statecharts. On-the-fiy verification means 
intuitively that, when the model checker has to verify the validity of a certain 
temporal logic formula on one state, it tries to give an answer by observing the 
internal state properties (e.g. the values of its attributes) and than by checking 
recursively the validity of the necessary subformulas on the necessary next states. 
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In this way (depending on the formula) only a fragment of the overall state space 
might need to be generated and analysed to be able to produce the correct result 
(cf. [5,14]). The logic supported by UMC, fxACTL^ (cf. [20]) is an extension 
of the temporal logic ^ACTL, (cf. [13]) which has the full power of /x-calculus 
(cf. [28]) . This logic allows both to specify the basic properties that a state should 
satisfy, and to combine these basic predicates with advanced logic or temporal 
operators. More precisely the syntax of fj.ACTL'^ is given by the following syntax 
where the x formulae represent evolution predicates over, signal events sent to 
a target object (here square parenthesis are used to denote optional parts): 

X ::= true \ [target.]event[{args)] \ ~<x | X ^ X 

(j) ::= true | ()) A (ji | |assert( VAR = value) \EXT<p\EXx4'\EF(j) \g,Y/:j){Y) \ Y 

where Y ranges over a set of variables, state formulae are ranged over by 4>, EXx 
is the indexed existential next operator and EE is the eventually operator. 

Several useful derived modalities can be defined, starting from the basic ones. 
In particular, we will write AG(j) for ^EF^(j>, and vY.(f){Y) for ^gY.^(j>{~Y)] v 
is called the maximal fixpoint operator. 

The formal semantic of fxACTE^ is given over bi-labelled transition sys- 
tems. Informally, a formula is true on an LTS, if the sequence of actions of the 
LTS verifies what the formula states. We hence say that the basic predicate 
assert{ VAR = value) is true if and only if in the current configuration the at- 
tribute VAR has value equal to value. The formula EXx4> holds if there is a 
successor of the current configuration which is reachable with an action satisfy- 
ing X and in which the formula 4> holds. The formula AG<f>, illustrates the use 
of the “forall” temporal operator and holds if and only if the formula (p holds in 
all the configurations reachable from the current state. 

Following the above syntax we will write using g.ACTL'^ formulae such as: 

EX {Chart. my -event} true 

that means: in the current configuration the system can perform an evolution in 
which a state machine sends the signal my event to the state machine Chart. Or 
the formula: 

AG {{EX {my-cvent} true) — >■ assert{object. attribute = v)) 

meaning that the signal myevent can be sent, only when the object attribute 
has value v. 

Coming back to the airport example, let us consider an extremely simplified 
version of the system composed of two airports, two passengers (one at each 
airport), and one plane. The plane is supposed to carry exactly one passenger 
and flies (if it has passengers) between the two airports. Departing passengers 
try to check in at the airport and than board the plane. We contemplate only 
one observable action performed by the passengers during the flight, namely 
the consumption of a meal. The complete dynamic behaviour of the objects of 
classes Passenger, Airport and Plane, is shown in Fig. 8 and Fig. 9, in the form 
of statecharts diagrams. 
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The initial deployment of the system is defined by the following declarations 



object 


class 


initial values for attributes 


Airport 1 


Airport 


MyLink Airport2, MyPlane => Planel 


Airport2 


Airport 


MyLink Airport 1 


Travelerl 


Passenger 


atLoc Airport 1, Destination Airport2 


Traveler2 


Passenger 


atLoc => Airport2, Destination => Airportl 


Planel 


Plane 


atLoc Airportl 



An example of property which can be verified over this system is the following: 
It is always true that Travelerl can eat only while he/she is flying on Planel. 
This property can be written in fj.ACTL'^ as: 

AG ((EX {eating (Travelerl)} true) — >■ 

(assert (Travelerl .atLoc = Planel) & assert(Planel .atLoc = null))) 

We wish to point out that that the development activity of UMC is still in 
progress and we have reported here some preliminary results on its application 
to the airport case study. Indeed several aspects of UML statcharts are not 
currently supported (e.g. the execution of “synchronous call” operations, the 
use of “deferred events”, the use of “history states”), and the logic itself needs 
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PASSENGER STATECHART 



PLANE STATECHART 





Fig. 9. Plane and passenger statemachines. 



to be better investigated, (e.g. its relation with localities). Work in this direction 
is planned in the next future. 



4 The Structural Aspects of the Architectural Approach 

The goal of the research on architectures is to develop the structural aspects of 
the architectural approach to mobility, including semantic primitives, categorical 
semantics, refinement mechanisms, and a toolbox of connectors and operations, 
as well as modularisation and structuring facilities for the systems considered and 
their specifications. The starting point for this research are three complementary 
formalisms: the parallel program design language CommUnity [17] as a platform 
in which the separation between “computation” and “coordination” has been 
achieved; the language Klaim [11] as a programming language with appropriate 
coordination mechanisms that permit negotiating the cooperation activities of 
mobile components, services and resources; the specification language CAST [1] 
as a means for providing architectural specification and verification mechanisms. 
During the first year of the project, the grounds for the integration of distribution 
and mobility in architectures were set by designing and mathematically charac- 
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terising basic extensions of CommUnity for distribution and mobility, by adding 
higher-order mechanisms to Klaim, and by enriching CASL with observational 
interpretation. In the following we will focus on the extensions to CommUnity 
by presenting a solution of the airport scenario. 

4.1 CommUnity 

CommUnity, introduced in [17], is a parallel program design language that is sim- 
ilar to Unity [6] in its computational model but adopts a different coordination 
model. More concretely, whereas, in Unity, the interaction between a program 
and its environment relies on the sharing of memory, CommUnity relies on the 
sharing (synchronisation) of actions and exchange of data through input and 
output channels. Furthermore, CommUnity requires interactions between com- 
ponents to be made explicit whereas, in Unity, these are defined implicitly by 
relying on the use of the same variables names in different programs. As a con- 
sequence, CommUnity takes to an extreme the separation between computation 
and coordination in the sense that the definition of the individual components of 
a system is completely separated from the interconnections through which these 
components interact, making it an ideal vehicle for investigating the envisaged 
integration of distribution and mobility in architectural models. 

In CommUnity the functionalities provided by a component are described 
in terms of a set of named actions and a set of channels. The actions offer 
services through computations performed over the data transmitted through the 
channels. 

Channels. In a component design channels can be declared as input, output 
or private. Private channels model internal communication. Input channels are 
used for reading data from the environment of the component. The component 
has no control on the values that are made available in input channels. More- 
over, reading a value from an input channel does not consume it: the value 
remains available until the environment decides to replace it. Output and pri- 
vate channels are controlled locally by the component, i.e. the values that, at 
any given moment, are available on these channels cannot be modified by the 
environment. Output channels allow the environment to read data produced by 
the component. Private channels support internal activity that does not involve 
the environment in any way. Each channel is typed with the sort of values that 
it can transmit. 

Actions. The named actions can be declared either as private or shared. Pri- 
vate actions represent internal computations in the sense that their execution 
is uniquely under the control of the component. Shared actions offer services to 
other components and represent possible interactions between the component 
and the environment, meaning that their execution is also under the control of 
the environment. The significance of naming actions will become obvious below; 
the idea is to provide points of rendezvous at which components can synchronise. 
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Space of Mobility. We adopt an explicit representation of the space within 
which mobility takes place, but we do not assume any fixed notion of space. 
This is achieved by considering that space is constituted by the set of possible 
values of a special data type Loc included in the fixed data type specification 
over which components are designed. 

The data sort Loc models the positions of the space in a way that is consid- 
ered to be adequate for the particular application domain in which the system is 
or will be embedded. The only requirement that we make is for a special location 
T to be distinguished whose role will be discussed further below. In this way, 
Community can remain independent of any specific notion of space and, hence, 
be used for designing systems with different kinds of mobility. For instance, in 
physical mobility, the space is, typically, the surface of the earth, represented 
through a set of GPS coordinates. In some kinds of logical mobility, space is 
formed by IP addresses. Other notions of space can be modelled, namely multi- 
dimensional spaces, allowing us to accommodate richer perspectives on mobility 
such as the ones that result from combinations of logical and physical mobility, 
or logical mobility with security concerns. 

Unit of Mobility. In components that are location-aware, we make explicit 
how their constituents are mapped to the positions of the fixed space. Mobility is 
then associated with the change of positions. By constituents we mean channels, 
actions, or any group of these. This means that the unit of mobility — the 
smallest constituent of a system that is allowed to move — is fine-grained and 
different from the unit of execution. 

The constituents of a component are mapped to the positions of the space 
through location variables. These variables (locations, for short) can be regarded 
as references to the position of a group of constituents of a component that are 
permanently colocated. In a component design, locations can be declared as 
input or output in the same way as channels but are all typed with sort Loc. 
Input locations are read from the environment and cannot be modified by the 
component. Hence, if I is an input location, the movement of any constituent 
located at I is under the control of the environment. Output locations can only 
be modified locally but can be read by the environment. Hence, if I is an output 
location, the movement of any constituent located at I is under the control of 
the component. 

Each local channel x of a design is associated with a location 1. We make 
this assignment explicit by writing x@l. At every given state, the value of I 
indicates the position of the space where the values of x are made available. 
A modification in the value of I entails the movement of x as well as of the 
other channels and actions located there. Input channels are located at a special 
output location whose value is invariant and given by T. The intuition is that 
this location variable is a non-commitment to any particular location. The idea 
is that input channels will be assigned a location when connected with a specific 
output channel of some other component of the system. 

Each action name g is associated with a set of locations including A, meaning 
that the execution of action g is distributed over those locations. In other words. 
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the execution of g consists of the synchronous execution of a guarded command 
in each of these locations. 



Airport Example. We consider a system that is required to control the check- 
in and boarding of passengers as well as the take-off of planes at airports. In the 
case of flights with stops, the system should also control the boarding and deplane 
of passengers during the intermediary stops. The design solution we shall adopt 
distributes the system over hosts at airports and planes and comprises mobile 
agents moving from host to host. Moreover, some of the hosts are themselves 
mobile. Flights, seats, airports and planes identiflers are modelled by data types. 

Arpid % airports identifiers 

Plld % plane identifiers 

Flight % flight info 

src: Flight->ArpId %source of flights 

dest: Flight->ArpId %destination of flights 

next: ArpId*Flight->ArpId % next stop relationship of flights 



We need a bi-dimensional space in order to model (1) the physical movement 
of planes and, consequently, the movement of the hosts they hold, and (2) code 
mobility. We define the data types Phy and Host to model these two dimensions. 
Locations consist of a physical location followed by a logical one — Phy.Host. 
For simplicity, we consider that airports and planes are associated with single 
hosts. 

Host % logical dimension 

ahost : ArpId->Host 
phost:PlId-> Host 
Phy % physical dimension 

= Arpld+{air} 

Loc % locations 

= Phy.Host 

ph:Loc->Phy % 1®" projection 

host : Loc->Host % 2"*^ projection 

In the envisaged airport system, we may easily identify two component types 
passenger and plane; both have a dynamic set of instances in the running 
system. Passengers have a seat in a given flight and are involved in activities such 
as check-in, boarding and exiting the plane. Planes operate flights, transporting 
luggage and passengers. They take off and land, possibly more than once. 

design passenger is 
inloc 1 

prv s@l : [0..2], seat@l : Stid, fl@l: Flight 

do checkinOl : [ s=0 — » s:=l ] 

D boards®! : [ s=l — » s:=2 ] 

D leaves®!: [ s=2 — > s:=l ] 

design plane is 

outloc 1 

out fl®l: Flight, 

prv s®l : [0..3], id@l : Plld, a®l:AirId 

do load_lug@l: [ s=0 ^ s:=l ] 

D takesoff®!: [ s=l a ph { 1 ) ?^;dest (f 1} — » s:=2 || 1 : =air .hos t ( 1) || a:=next (a, f 1) ] 

D lands®l: [ s=2 — » s:=l || 1 : =a . host { 1 ) ] 

D unload_lug@l : [ s=l a ph (1) =dest (f 1) s:=3 ] 
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Planes offer one output channel so that their behaviour can be coordinated 
according to the flights they operate. Whereas planes have output locations, 
passengers have input locations: this is because planes control their own mo- 
bility whereas passenger movement is determined by the environment, namely 
the planes that they board. It remains to define the coordination of the activ- 
ities of planes and passengers at departure, namely the fact that a plane can 
take off only when all passengers that checked-in are on board. In Commu- 
nity, the mechanisms through which coordination between system components 
is achieved can be completely externalised from the component programs and 
modelled explicitly as first-class citizens. The global property of the airport sys- 
tem just described can be achieved by interconnecting a plane and each of its 
passengers through a connector that ensures that the action takesoff of plane 
cannot precede the action boards of passenger. This coordination activity can be 
established by interconnecting plane and passenger to a scheduler: a program seq 
with two actions acl and ac2 that have to be executed in order. The required 
interconnection is expressed through the following diagram 

connector departure (passenger , plane) is 

design cable2 is 



design cablel is inloc x 

do a do a 




passenger design seq is plane 

inloc 1 

prv s@l : [0 . . 2] 
do acl@l: [s=0^s:=l] 

D ac2@l : [s=l— >s:=2] 

This connector type ensures, for the instances of planes and passengers to which 
it is applied, that the plane takes off only when the passenger is on board (cf. 3). 

The physical presence of a passenger in a check-in counter has to give rise 
to the creation of an instance of passenger somewhere. Recall that the location 
of passenger was defined to be controlled by the environment but, so far, we 
have not specified by who and how. We opt for a solution where the instances of 
passenger are mobile agents. They are initially placed on the host of the source 
airport but boarding triggers their migration to the host of the corresponding 
plane. The required pattern of distribution and mobility of passenger can be 
regarded as part of the necessary coordination between the passenger and the 
corresponding plane in the system. In fact, it can be completely externalised from 
the component design and modelled explicitly as a first-class citizen through a 
binary distribution connector. The passenger and the corresponding plane have 
to be interconnected through a program driver as shown in the following diagram. 
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design cableS 
inloc X 
in y: Flight 
do acl D ac2 

lp<— x^l 

boards^a^mv tk, tkidle— >acl<— takesof f 

Id, ldidle^ac2<— lands 

passenger design driver is 

inloc Ip 
outloc 1 
in fl:Flight 

prv a@l:AirId, inplane®! :bool 
do mv@l: [ — linplane — >l:=lp || 

D tk@l : [ inplane 1 : =air . hos t (1 ) 
D ld@l:[ inplane ^ 1 : =a . hos t (1 ) ] 

D tkidle@l : [ — linplane skip] 

D ldidle@l : [ — linplane skip] 



plane 



inplane : =true] 

a : =next (a, f 1 ) ] 



This diagram defines that the program driver controls the location of the 
passenger. The boarding is defined to be the trigger for the migration and the 
new position is provided by the plane — its own current location. Moreover, from 
that moment on, the location of the passenger is subject to the same changes 
that the location of that plane. 



4.2 Klaim 

Klaim [11,4] {Kernel Language for Agent Interaction and Mobility) is an ex- 
perimental kernel programming language specifically designed to model and to 
program distributed concurrent applications with code mobility. The language is 
inspired by the Linda coordination model [19], hence it relies on the concept of 
tuple space. A tuple space is a multiset of tuples; these are containers of informa- 
tion items (called fields). There can be actual fields (i.e. expressions, processes, 
localities, constants, identifiers) and formal fields (i.e. variables). Syntactically, 
a formal field is denoted with Hde, where ide is an identifier. For instance, the 
sequence {“foo^\ “bar^\ \Price) is a tuple with three fields: the first two fields are 
string values while the third one is a formal field. 

Tuples are anonymous and content-addressable. Pattern-matching is used to 
select tuples in a tuple space. Two tuples match if they have the same number 
of fields and corresponding fields match: a formal field matches any value of 
the same type, and two actual fields match only if they are identical (but two 
formats never match). For instance, tuple (“/oo”, “&or”, 100-1-200) matches with 
(“/oo”, “baP\ IVal). After matching, the variable of a formal field gets the value 
of the matched field: in the previous example, after matching, V al (an integer 
variable) will contain the integer value 300. 

Tuple spaces are placed on nodes that are part of a net. Each node contains 
a single tuple space and processes in execution; a node can be accessed through 
its address. There are two kinds of addresses: Sites are the identifiers through 
which nodes can be uniquely identified within a net; Localities are symbolic 
names for nodes. A reserved locality, self, can be used by processes to refer 
to their execution node. Sites have an absolute meaning and can be thought of 
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as IP addresses, while localities have a relative meaning depending on the node 
where they are interpreted and can be thought of as aliases for network resources. 
Localities are associated to sites through allocation environments, represented 
as partial functions. Each node has its own environment that, in particular, 
associates self to the site of the node. 

Klaim processes may run concurrently, both at the same node or at differ- 
ent nodes, and can perform five basic operations over nodes. in(t)@£ evaluates 
the tuple t and looks for a matching tuple t' in the tuple space located at 
Whenever the matching tuple t' is found, it is removed from the tuple space. 
The corresponding values of t' are then assigned to the formal fields of t and the 
operation terminates. If no matching tuple is found, the operation is suspended 
until one is available. read(t)@f differs from in(t)@£ only because the tuple t', 
selected by pattern-matching, is not removed from the tuple space located at i. 
out{t)@£ adds the tuple resulting from the evaluation of t to the tuple space 
located at £. eval(P)@£ spawns process P for execution at node £. newloc(s) 
creates a new node in the net and binds its site to s. The node can be con- 
sidered a “private” node that can be accessed by the other nodes only if the 
creator communicates the value of variable s, which is the only way to access 
the fresh node. Finally, Klaim processes are built up from the special process 
nil, that does not perform any action, and from the basic operations by using 
standard operators borrowed from process algebras [33] , namely action prefixing, 
parallel composition and process definition. In particular, recursive behaviours 
are modelled via process jlefinitions. It is assumed that each process identifier 
A, parameterised w.r.t. P, £ and e, has a single defining equation of the form 
A{P,£,e) = P (notation • denotes a list of objects of a given kind). 



A Klaim Extension: OpenKlaim. OpenKlaim, that has been first presented 
in [4], is an extension of Klaim that was specifically designed for enabling users 
to give more realistic accounts of open systems. Indeed, open systems are dy- 
namically evolving structures: new nodes can get connected or existing nodes can 
disconnect. Connections and disconnections can be temporary and unexpected. 
Thus, the Klaim assumption that the underlying communication network will 
always be available is too strong. Moreover, since network routes may be affected 
by restrictions (such as temporary failures or firewall policies), naming may not 
suffice to establish connections or to perform remote operations. Therefore, to 
make Klaim suitable for dealing with open systems, the need has arisen to ex- 
tend the language with constructs for explicitly modelling connectivity between 
network nodes and for handling changes in the network topology. 

OpenKlaim is obtained by equipping Klaim with mechanisms to dynami- 
cally update allocation environments and to handle node connectivity, and with a 
new category of processes, called coordinators, that, in addition to the standard 
Klaim operations, can execute privileged operations that permit establishing 
new connections, accepting connection requests and removing connections. The 
new privileged operations can also be interpreted as movement operations: en- 
tering a new administrative domain, accepting incoming nodes and exiting from 
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Table 1. OpenKlaim Syntax. 



f::=e \ P \ t \ * l \\ x \[ X\\l Tuple FIELDS 



iu=/ 1 f,t 


Tuples 


P : 


■.= 


Processes 








nil 


null process 


e-.:=i s 


Localities & Sites 




a.P 


action prefixing 








1 Pi \P2 


parallel composition 


a ::= 


Actions 




1 a(pX^ 


process invocation 


out(i)@£ 


output 








in { t)W 


input 


C : 


■.= 


Coordinators 


1 read(£)@^ 


read 




p 


(standard) process 


1 eval(P)®€ 


migration 




1 pa.C 


action prefixing 


1 bind(/,s) 


bind 




Cl 1 C2 


parallel composition 










coordinator invocation 


pa ::= 


Privileged Actions 






a 


(standard) action 


C : 


:= {et) C 


C 1 C Node Components 


1 newloc(5,C) 


creation 








login(£) 


login 


N : 




Nets 


1 logout(^) 


logout 




1 


single node 


1 accept (s) 


accept 




1 W II N2 


net composition 



an administrative domain, respectively. The syntax of OpenKlaim processes is 
presented in Table 1. 

OpenKlaim processes can be thought of as user programs and differs from 
Klaim processes in the following three respects. 

— When tuples are evaluated, locality names resolution does not take place 
automatically anymore. Instead, it has to be explicitly required by putting 
the operator * in front of the locality that has to be evaluated. For in- 
stance, (3,?) and (s, out(si)@S 2 -nil) are fully-evaluated while {3,*l) and 
(*Z, out(l)@self .nil) are not. 

— Operation newloc cannot be performed by user processes anymore. It is 
now part of the syntax of coordinator processes because, when a new node 
is created, it is necessary to install one such process at it and, for security 
reasons, user processes cannot be allowed to do this. 

— Operation bind has been added in order to enable user processes to en- 
hance local allocation environments with new aliases for sites. For instance, 
bind(l, s) enhances the local allocation environment with the new alias I 
for s. 

Coordinators can be thought of as processes written by node managers, a 
sort of superusers. Thus, in addition to the standard Klaim operations, such 
processes can execute local (namely they are not indexed with a locality) coor- 
dination operations to establish new connections (viz. login(^)), to accept con- 
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nection requests (viz. accept(s)), and to remove connections (viz. logout(£)). 
Coordinators are stationary processes (namely, they cannot occur as arguments 
of eval) and cannot be used as tuple fields. They are installed at a node either 
when the node is initially configured or when the node is dynamically created, 
e.g. when a coordinator performs newloc(s,C) (where C is a coordinator). 

An OpenKlaim network node is a 4-tuple of the form s C, where s is 
the site of the node (i.e. its physical address in the net), p is the local allocation 
environment, S gives the set of nodes connected to s and C are the components 
located at the node, i.e. is the parallel composition of evaluated tuples (repre- 
sented as (et)) and of (user and) coordinator processes. A net can be either a 
single node or the parallel composition of two nets A^i and N2 with disjoint sets 
of node sites. 

If s ::p (7 is a node in the net, then we will say that the nodes in S are logged 
in s and that s is a gateway for those nodes. A node can be logged in more than 
one node, that is it can have more than one gateway. Moreover, if si is logged in 
S2 and S2 is logged in S3 then S3 is a gateway for si too. Gateways are essential 
for communication: two nodes can interact only if there exists a node that acts 
as gateway for both. Moreover, to evaluate locality names, whenever si is logged 
in S2, if a locality cannot be resolved by just using the allocation environment of 
Si, then the allocation environment of S2 (and possibly that of nodes to which 
S2 is logged in) is also inspected. 

The OpenKlaim approach puts forward a clean separation between the co- 
ordinator level (made up by coordinator processes) and the user level (made up 
by standard processes). This separation makes a considerable impact. From an 
abstract point of view, the coordinator level may represent the network oper- 
ating system running on a specific computer and the user level may represent 
the processes running on that computer. The new privileged operations are then 
system calls supplied by the network operating system. From a more implemen- 
tation oriented point of view, the coordinator level may represent the part of 
a distributed application that takes care of the connections to a remote server 
(if the application is a client) or that manages the connected clients (if the ap- 
plication is a server). The user level then represents the remaining parts of the 
application that can interact with the coordinator by means of some specific 
protocols. 

To save space, here we do not show OpenKlaim operational semantics (we 
refer the interested reader to [4]). Informally, the meaning of the coordination 
primitives is the following. Operation newloc(s, C) creates a new node in the net, 
binds the site of the new node to s and installs the coordinator C at the new node. 
Notice that a newloc does not automatically log the new node in the generating 
one. This can be done by installing a coordinator in the new node that performs a 
login. Differently from the standard Klaim newloc operation, the environment 
is not explicitly inherited by the created node, instead it is subsumed by using the 
“logged in” relationships among nodes. Operation login(f) logs the executing 
node, say s, in ^ but only if at i there is a coordinator willing to accept a 
connection, namely a coordinator of the form accept(s').C. As a consequence 
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of this synchronisation, s is added to the set S of nodes logged in £ and s' is 
replaced with s within C. Operation logout (^) disconnects the executing node, 
say s, from £. As a consequence, s is removed from the set S of nodes logged in 
£ and any alias for s is removed from the allocation environment of £. 

An OpenKlaim Implementation of the Airport Scenario. As an example 
of the use of OpenKlaim, we consider in this section the simplified airport sce- 
nario, with planes landing and taking off and passengers arriving and departing. 
The scenario we want to implement has the following specification: 

— a passenger has to check in before board a plane; 

— a plane is ready to take off when all passengers have boarded and the luggage 
has been loaded. 

Passengers already have a boarding card, thus each passenger knows plane 
and seat assigned to him/her and, moreover, the number of passengers that must 
board on a plane is known. For simplicity sake, we only model one airport, one 
plane, and the passengers that must board on that plane. 

We can identify two participants - passenger and plane; both have a dynamic 
set of instances in the running system. The implementation we present models 
each instance as an OpenKlaim node. Methods (i.e. checkin, loadLug and so 
on) are implemented by OpenKlaim processes. We model passenger and plane 
mobility via the OpenKlaim primitives for reconfiguring open nets (i.e. login, 
accept and logout). 

The model of the physical space is represented by an OpenKlaim net. For 
each airport there exists a node in the net where passengers and planes can 
be host (i.e. connected). Airport nodes represent the immobile nodes of the 
system, passenger and plane are mobile nodes. In the system we present, each 
mobile node (plane and passengers) is initially connected with an immobile node 
(airport). 

Passengers already have assigned a seat in a given flight and are involved 
in activities such as check-in and boarding the plane. Planes make flights by 
transporting luggage and passengers. A passenger first checks-in, then he can 
board the plane. A plane has to load all the luggage and all passengers having 
a boarding card for that flight before it can take off. 

Node passenger hosts processes checkin and boards defined as follows: 

checkin{airport, flight, seat) = out {“checkin'', *self , flight, seaf)@airport. 

in{“checkinOk")@self . 
out{“boardOk")@self 

boards{airport, plane) = in{“boardOk")@self . 

login{plane) . 
logout {airport) . 
out{“boards" , *seli)@plane 

Process checkin, parameterised w.r.t. airport, flight and seat, merely sends 
a “checkinOk” request to the airport and waits for a reply. Process boards. 
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parameterised w.r.t. airport and plane, after checkin has been completed, allows 
passengers to log in the plane and to log out the airport (this implements the 
physical mobility of passengers) . 

Node plane hosts processes loadLug and takesoff defined as follows: 

d&f 

loadLug{airport) = out{“loadLug^\*self)@airport. 

in( “loadLugOh” )@self . 
out(“tafceo//Ofc”)@self 

takesoff (airport) ='^ accept (si). 

in( “boards”, si)@self. 

accept (s„). 
in( “boards”, s„)@self. 
in(“tafceo//Ofc”)@self . 
logout(airport) . 
out(“On air!” )@self 

Process loadLug, parameterised w.r.t. airport, simply represents the load of 
luggage. Process takesoff, parameterised w.r.t. airport, allows the plane to log 
out the airport only when all the passengers are on board (i.e. have been accepted 
by the plane). 

Node airport hosts processes handleCheckin and handleLoadLug , used to 
handle check-in requests from passengers and loading-luggage messages from 
planes respectively, defined as follows: 

handleCheckin = in{“checkin^\U,\f light, \seat)@self. 
out ( “checkinOL^ )@l. 
handleCheckin 

d 

handleLoadLug = in(“loadLug'" ,\l)@selt. 

out ( "doadLugOL” )@l. 
handleLoadLug 

Finally, the overall system is defined by a net with a node for each instance 
of airport, plane and passenger: 

system =‘^ airport || plane || passengeri || . . . || passengern 
where each node is defined as follows: 

airport Sarp handleCheckin \ handleLoadLug 

d&f 

plane = Spin ::{spi„/seif,sarp/airport} loadLug (airport) \ takesoff (airport) 

passengeri ■■{si/sei±,sarp/o.irport,spin/piane} ehcckin(airport, flight, scati) \ 

boards (air port, plane) 
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5 Specification Framework for Evolution 

The objective of this research is to design a framework for the specification 
and analysis of the system’s evolution arising from reconfiguration and mobility. 
This includes extensions to Graph Transformation and Tile Logic to include key 
features for representing distribution and mobility, the application of such exten- 
sions to model the evolution arising from the reconfiguration of the distributions 
connectors introduced in the research on architectures, and the development of 
analysis techniques for the verification of security and behavioural properties of 
mobile distributed systems, including the design of topological modalities. The 
logical techniques developed will be generalised to allow for combination with 
other formalisms. 

During the first year of the project the grounds were set for the integrated 
specification framework by extending graph transformations and tile logic by en- 
coding of Single-Pushout graph rewriting into Tiles, defining transactions in the 
Tile Model, by adding higher order features for graph rewriting, and by defining 
an appropriate graph transformation framework for the operational semantics 
of UML. To obtain analysis techniques for security and behavioural properties, 
two ambient-like calculi were developed [35,32] and a technique for the analysis 
of graph transformation systems was proposed [2] . 

In the following we will focus on the operational semantics of UML object 
and activity diagrams by Graph Transformation Systems. Starting from the 
UML specification, we first show how to encode instance diagrams as graphs of 
a suitable kind, in order to define rule-based transformations on them. Next we 
represent behavioural diagrams as graph transformation systems: we consider 
a simple activity diagram, and we present one graph transformation rule for 
each activity in it. Each rule will describe the local evolution of the system 
resulting from the corresponding activity. Most importantly, by resorting to the 
theory of graph transformation we are able to show that the proposed rules 
implement correctly the dependencies among the various activities, as described 
in the activity diagram. Finally, we show that a generalisation of the example by 
allowing a list of passengers boarding to a plane (instead of a single passenger) , 
can be modelled conveniently by an extension of graph transformation with 
synchronisation, which is a specific Tile Model. 

5.1 Modelling the Airport Scenario with Graph Transformation 

The various kinds of diagrams used in a UML specification essentially are graphs 
annotated in various ways. Therefore it comes as no surprise that many contribu- 
tions in the literature use techniques based on the theory of graph transformation 
to provide an operational semantics for UML behavioural diagrams (see, among 
others, [12,22,30,29,15,21]). Glearly, a pre-requisite for any such graph trans- 
formation based semantics is the formal definition of the structure of the graphs 
which represent the states of the system, namely the instance graphs. However, 
there is no common agreement about this: we shall present a novel formalisation, 
which shares some features with the one proposed in [23]. 
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An instance graph includes a set of nodes, which represent all data belonging 
to the state of an execution. Some of them represent the elements of primitive 
data types, while others denote instances of classes. Every node may have at 
most one outgoing hyperedge, i.e., an edge connecting it to zero or more nodes^. 

Conceptually, the node can be interpreted as the “identity” of a data element, 
while the associated hyperedge, if there is one, contains the relevant information 
about its state. A node without outgoing hyperedges is either a constant or a 
variable. 

Typically, an instance of a class C is represented by a node n and by an hy- 
peredge labelled with the pair {instanceN ame : C). This hyperedge has node n 
as its only source, and for each attribute of the class C it has a link (a target ten- 
tacle) labeled by the name of the attribute and pointing to the node representing 
the attribute value. Every instance graph also includes, as nodes, all constant 
elements of primitive data types, like integers (0, 1,-1, . . . ) and booleans (true 
and false), as well as one node nulhC for each relevant class C. 

Figure 10 (a) shows an instance diagram which represents the initial state of 
the airport scenario. As usual, the attributes of an instance may be represented 
as directed edges labeled by the attribute name, and pointing to the attribute 
value. The edge is unlabeled if the attribute name coincides with the class of the 
value (e.g., Ihl23 is the value of the plane attribute of tck). An undirected edge 
represents two directed edges between its extremes. The diagram conforms to a 
class diagram that is not depicted here. 

Figure 10 (b) shows the instance graph (according to the above definitions) 
encoding the instance diagram. Up to a certain extent (disregarding OCL formu- 
las and cardinality constraints), a class diagram can be encoded in a correspond- 
ing class graph as well; then the existence of a graph morphism (i.e., a structure 
preserving mapping) from the instance graph to the class graph formalizes the 
relation of conformance. 

In the following we shall depict the states of the system as instance diagrams, 
which are easier to draw and to understand, but they are intended to represent 
the corresponding instance graphs. 

Figure 3 shows the activity diagram of the Use Case Departure of the airport 
case study. This behavioural diagram ignores the structure of the states and the 
information about which instances are involved in each activity, but stresses the 
causal dependencies among activities and the possible parallelism among them. 
More precisely, from the diagram one infers the requirement that board and 
load_luggage can happen in any order, after check_in and before take.off. 

By making explicit the roles of the various instances in the activities, we shall 
implement each activity as a graph transformation rule. Such rules describe local 
modifications of the instance graphs resulting from the corresponding activities. 
We will show that they provide a correct implementation of the activity diagram, 
since the above requirement is met. 

Let us first consider the activity board. Conceptually, in the simplified model 
we are considering, its effect is just to change the location of the passenger (i.e., 

^ Formally, the graphs are term graphs [10, 36] . 




26 



L. Andrade et al. 




(a) (b) 

Fig. 10. An instance diagram (a) and the corresponding instance graph (b). 




Fig. 11. The graph transformation rule for boarding. 



its atLoc attribute) from the airport to the plane. In the rule which implements 
the activity, we make explicit the preconditions for its application: 1) the passen- 
ger must have a ticket for the flight using that plane; 2) the value of the checked 
attribute of the ticket must be true; 3) the plane and the passenger must be at 
the same location, which is an airport. 

All this is represented in the graph transformation rule implementing the 
activity board, shown in Fig. 11. Formally, this is a double-pushout graph trans- 
formation rule [9], having the form L K ^ R, where L, K and R are instance 
graphs, and the I and r are graph morphisms (inclusions, in this case; they are 
determined implicitly by the position of nodes and edges). 

Intuitively, a rule states that whenever we find an occurrence of the left-hand 
side L in a graph G we may replace it with the right-hand side R. The interface 
graph K and the two morphisms I and r provide the embedding information, that 
is, they specify where R should be glued with the context graph obtained from 
G by removing L. More precisely, an occurrence of L in G is a graph morphism 
g : L ^ G. The context graph D is obtained by deleting from G all the nodes and 
edges in g{L — 1{K)) (thus all the items in the interface K are preserved by the 
transformation). The embedding of i? in Z? is obtained by taking their disjoint 
union, and then by identifying for each node or edge x in K its images g{x) in 
G and r{x) in R\ formally, this operation is a pushout in a suitable category. 
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board 




(a) 



checkjn 



C A 




{destroy} {new} 



(b) 



Fig. 12. The rules for boarding (a) and for checking in (b) as collaboration diagrams. 



Comparing the three graphs in the rule, one can see that in order to change 
the value of the attribute atLoc of the Passenger, the whole hyperedge is deleted 
and created again: one cannot delete a single attribute, as the resulting structure 
would not be a legal hypergraph. Instead, the node representing the identity of 
the passenger is preserved by the rule. Also, all the other items present in the 
left-hand side (needed to enforce the preconditions for the application of the 
rule) are not changed by the rule. 

It is possible to use a much more concise representation of a rule of this 
kind, by depicting it as a single graph (the union of L and i?), and annotating 
which items are removed and which are created by the rule. Figure 12 (a) shows 
an alternative but equivalent graphical representation of the rule of Fig. 11 as 
a degenerate kind of collaboration diagram (without sequence numbers, guard 
conditions, etc.) according to [8]. 

Here the state of the system is represented as an instance diagram, and the 
items which are deleted by the rule (resp. created) are marked by {destroy} (resp. 
{new}: beware that these constraints refer to the whole Passenger instance, and 
not only to the atLoc tentacle. For graph transformation rules with injective 
right-hand side (like all those considered here), this representation is equivalent 
to the one above, and for the sake of simplicity we will stick to it. 

Figure 12 (b) and Fig. 13 (a, b) show the rules implementing the remaining 
three activities of Fig. 3, namely checkJn, load_luggage and take_ofF: the corre- 
sponding full graphical representation can be recovered easily. Notice that the 
effect of the take_ofF rule is to change the value of the atLoc attribute of the plane: 
we set it to null, indicating that the location is not meaningful after taking off; 
as a different choice we could have used a generic location like Air or Universe. 

The next statement, by exploiting definitions and results from the theory of 
graph transformation, describes the causal relationships among the potential rule 
applications to the instance graph of Fig. 10 (b), showing that the dependencies 
among activities stated in the diagram of Fig. 3 are correctly realized by the 
proposed implementation. 
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take_off 



(■ A 




loadjuggage 




(a) 



(b) 



Fig. 13. The rules for loading the luggage (a) and for taking off (b). 



Proposition 1 (Causal dependencies among rules implementing activ- 
ities). Given the start instance graph Gq of Fig. 10 (b) and the four graph 
transformation rules of Fig. 12 and 13, 

— the only rule applicable to Gq is check_in, producing, say, the instance graph 

Gi; 

— both board and load_luggage can be applied to graph Gi, in any order or even 
in parallel, resulting in all cases in the same graph (up to isomorphism), say 
G2; 

— rule take_off can be applied to G 2 , but not to any other instance graph gen- 
erated by the mentioned rules. 



5.2 Enriching the Model with Synchronised Graph Transformation 

Quite obviously, the rule take_off presented in the previous subsection fits in the 
unrealistic assumption that the flight has only one passenger. Let us discuss how 
this assumption can be dropped by modeling the fact that the plane takes off 
only when ALL its passengers and ALL their luggages are boarded. 

We shall exploit the expressive power of Synchronized Hypergraph Rewriting 
[24, 26, 25], an extension of hypergraph rewriting which uses some basic features 
inspired by the Tile Model [18], to model this situation in a very concise way. 
Intuitively, the plane has as attribute the collection of all the tickets for its flight, 
and when taking off it broadcasts a synchronization request to all the tickets in 
the collection. Each ticket can synchronize only if its passenger and its luggage 
are on the plane. If the synchronization fails, the take_off rule cannot be applied. 
This activity can be considered as an abstraction of the check performed by the 
hostess/steward before closing the gate. 

Conceptually, a graph transformation rule with synchronization is a rule 
where one or more nodes of the right-hand side may be annotated with an 
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(a) (b) 



Fig. 14. The rules for taking off while checking that all passengers are on board (a), 
and for acknowledging the synchronization (b). 



action. If the node is a variable, the action can be interpreted as a synchroniza- 
tion request issued to the instance which will be bound to the variable when 
applying the rule. If instead the annotated node is the source of an instance, the 
action can be interpreted as an acknowledgment issued by that instance. Given 
an instance graph, a bunch of such rules with synchronization can be applied 
simultaneously to it only if all synchronization requests are properly matched 
by a corresponding acknowledgment. 



To use this mechanism in our case study, consider the association Plane 4=^ 
Ticket with the obvious meaning: we call TicketList the corresponding attribute 
of a plane (cf. Fig. 2). Figure 14 (a) shows rule take_off_synch: the plane takes 
off, changing its location from the airport to null, only if its request for a syn- 
chronization with a boarded action is acknowledged by its collection of tickets. 
In this rule we depict the state as an instance graph, because we want to show 
explicitly that a node representing the value of the attribute ticketList of the 
plane is annotated by the boarded action. On the other side, according to rule 
boarded _ack, a ticket can acknowledge a boarded action only if its passenger and 
its luggage are both located on its plane. Here the state is depicted again as an 
instance diagram, and the boarded action is manifested on the node representing 
the identity of the ticket. 

To complete the description of the system, we must explain how the tickets 
for the flight of concern are linked to the ticketList attribute of the plane. In 
order to obtain the desired synchronization between the plane and all its tickets, 
we need to assume that there is a subgraph which has, say, one “input node” (the 
ticketList attribute of the plane) and n “output nodes” (the tickets); furthermore, 
this subgraph should be able to “match” synchronization requests on its input 
to corresponding synchronization acknowledgments on its ouputs. 

More concretely, this is easily obtained, for example, by assuming that the 
collection of tickets is a linked list, and by providing rules for propagating the 
synchronization along the list: this is shown in Fig. 15, where the rules should 
be intended to be parametric with respect to the action act. 
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start_act next_act last_act 




Fig. 15. The rules for broadcasting synchronizations along a linked list. 



6 Concluding Remarks 

The AGILE project is developing an architectural approach to software develop- 
ment for global computing in which mobility aspects can be modelled explicitly 
at several levels of abstraction. The whole approach is developed over a uniform 
mathematical framework based on graph-oriented techniques to support sound 
methodological principles, formal analysis, and refinement. In this paper we have 
presented some of the results gained during the first project year. AGILE has 
obtained many other results concerning specification, verification and analysis of 
global computation systems we could not present here because of lack of space. 

Using the running example of the simple airport case study we have shown 
how several well-known modelling, coordination and programming languages can 
be extended or directly used to model mobility. In particular, we have presented 

~ an extension of the UML for modelling mobility, 

— an extension of the program design language GommUnity to support mobil- 
ity, and 

— OpenKLAIM, a language for programming distributed open systems, 

~ and have shown how a graph transformations and tile logic can be used to 
give a mathematical basis to a kernel of UML with mobility. 

Gurrently, we pursue our goal of developing a mathematically well-founded ar- 
chitectural approach to software engineering of global computing systems. We 
are working on a tighter integration of the different formalisms by analysing their 
relationships, by defining further translations between each of the formalisms, 
and by studying analysis, verification and refinement techniques where also insti- 
tutions and categorical techniques will play a major role. We have also started 
to design and implement tools for supporting software development with our 
methods. 
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Abstract. Reo is a recently introduced channel-based model for coor- 
dination, wherein complex coordinators, called connectors, are composi- 
tionally built out of simpler ones. Using a more liberal notion of a chan- 
nel, Reo generalises existing dataflow networks. In this paper, we present 
a simple and transparent semantical model for Reo, in which connectors 
are relations on timed data streams. Timed data streams constitute a 
characteristic of our model and consist of twin pairs of separate data 
and time streams. Furthermore, coinduction is our main reasoning prin- 
ciple and we use it to prove properties such as connector equivalence. 



1 Introduction 

Reo (from the Greek word poo which means “’[I] flovT ) is a recently introduced 
[Arb02,AM02] channel-based coordination model, wherein complex coordinators, 
called connectors, are compositionally built out of simpler ones. Reo is intended 
as a “glue language” for construction of connectors that orchestrate component 
instances in a component-based system. The emphasis in Reo is on connectors 
and their composition only, not on the components that are being connected. In 
this paper, we present a simple and transparent semantical model of connectors 
and connector composition, which can be used as a compositional calculus, in 
which properties such as connector equivalence, optimization, and realization 
can be expressed and proved. 

The basic connectors are channels, each of which is a point-to-point com- 
munication medium with two distinct ends. Channels can be used as the only 
communication constructs in communication models for concurrent systems, be- 
cause the primitives of other communication models (e.g., message passing or 
remote procedure calls) can be easily defined using channels. In contrast to other 
channel-based models, Reo uses a generalised concept of channel. In addition to 
the common channel types of synchronous and asynchronous, with bounded or 
unbounded buffers, and with fifo and other ordering schemes, Reo allows an open 
ended set of channels, each with its own, sometimes exotic, behaviour. For in- 
stance, a channel in Reo need not have both an input and an output end; it can 
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have two input ends or two output ends instead. In addition to channels, Reo 
has one more basic connector, called the merge operator. More complex connec- 
tors can then be constructed from the basic connectors (channels and merge) 
through an operation of connector composition. 

Because Reo is not concerned with the internal activity of the components 
that it connects, we represent components by their interfaces only. Therefore, 
we model the input ends and output ends of connectors as streams (infinite 
sequences) of abstract (uninterpreted) data items. Moreover, we associate with 
every such data stream an infinite sequence of (natural or non-negative real) 
numbers. These numbers stand for the respective moments in time at which 
their corresponding data items are being input or output. This allows us to 
describe and reason about the precise timing constraints of connectors (such as 
synchronous versus asynchronous, and bounded versus unbounded delay). Thus, 
we model the potential behaviour of connector ends as timed data streams, which 
are pairs consisting of a data stream and a time stream. Note that we use pairs of 
streams rather than streams of pairs (of timed data elements), since this enables 
us to reason about time explicitly, which turns out to be particularly useful. 

The main mathematical ingredients of our model are sets of streams 

over some set A (of data items or time moments). These sets carry a so- 

called final coalgehra structure, consisting of the well-known operations of head 
and tail (here called initial value and derivative). As a consequence, we can 
benefit from some basic but very general facts from the discipline of coalgebra, 
which over the last decade has been developed as a general behavioral theory 
for dynamical systems (see [JR97,Rut00] for an overview). In particular, the 
final coalgebra satisfies principles of coinduction, both for definitions and 
for proofs. The latter are formulated in terms of so-called stream bisimulations, 
an elementary variation on Park’s and Milner’s original notion of bisimulation 
for parallel processes [Mil80,Par81]. As we shall see, these coinduction principles 
are surprisingly powerful. They will be applied to both data streams and time 
streams. 

Having modelled connector ends as timed data streams, we then model con- 
nectors as relations on timed data streams, expressing which combinations of 
timed data streams are mutually consistent. This relational model is, in spite of 
its simplicity, already sufficiently expressive to study a number of notions and 
questions about component connectors, such as equivalence (when do two con- 
nectors have the same behavior?), expressiveness (which connectors can I build 
out of a given set of basic connectors?), optimization (given a connector, can 
I build an equivalent connector out of a smaller number of basic connectors?), 
verification (given the specification of a certain connector behavior and given 
a connector, does the connector meet the specification?), realization (given the 
specification of a certain connector behavior, can I actually build a connector 
with precisely that behavior out of a given set of basic connectors?), and the 
like. In the present paper, we shall mainly focus on connector equivalence and, 
to a lesser extent, the expressiveness of our connector calculus. 
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Reo is more general than dataflow models, Kahn-networks, and Petri-nets, 
which can be viewed as specialised channel-based models that incorporate cer- 
tain basic constructs for primitive coordination. While Reo is designed to deal 
with the flow of data, it, more specifically, differs fundamentally from classical 
dataflow models in four important aspects: 

1. Although not treated here, the topology of connections in ‘full’ Reo is inher- 
ently dynamic and accomodates mobility. 

2. Reo supports a much more general notion of channels. Amongst others, it 
allows the combined use of synchronous and asynchronous channels. 

3. The model of Reo is based on a clear separation of data and time. 

4. Coinduction is the main reasoning principle. 

Of all related work, Broy and Stplen’s book [BSOl] deserves special mention, since 
it is also based on (timed) data streams. However, the points mentioned above 
distinguish our model also from theirs. In particular, the separation of data and 
time, in our model, in combination with the use of coinduction, leads to simpler 
speciflcations (deflnitions) and proofs. See Section 9 for a concrete example. 
Finally, coalgebra and coinduction have been used in models of component- 
based systems in [BarOl] and [Dob02]. Also these models are distinguished from 
ours by the (first three) points above. Moreover, our model is far more concrete, 
and therefore allows actual equivalence proofs. 

2 Streams and Coinduction 

Let A be any set and let A“ be the set of all streams (infinite sequences) over A: 
A‘^ = {a I a : {0,1,2,...} ^ A} 

We present some basic facts on A‘^, notably how to give deflnitions and proofs 
by coinduction. In this section, the set A is arbitrary but later, we shall look in 
particular at streams over some data set D and streams over the time domain 
IR+. 

Individual streams will be denoted as a = (a(0), o;(l), a(2), . . .) (or a = 
(a(0), a(l), a(2), ...)). We call o;(0) the initial value of a. The (stream) derivative 
a' of a stream a is defined as 

a' = (a(l).a(2),a(3),...) 

Note that a'{n) = a{n+ 1), for all n > 0. Later we shall also need ‘higher-order’ 
derivatives for any k >0, defined as = a and . These 

satisfy o;(^^(n) = a{n + k), for any n > 0. 

Stream initial values and derivatives will be used both in deflnitions of (op- 
erations on) streams and in proofs of properties of streams. In this manner, a 
calculus of streams is obtained, in close analogy to classical analytical analysis. 
More specifically, we formulate deflnitions using the so-called behavioural dif- 
ferential equations, which specify both the initial value and the derivative of 
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the stream being defined. Such definitions are also called coinductive. We illus- 
trate this type of definition through a few basic examples. Let the operations 
even, odd, and zip be defined by the following system of equations (one for each 
a,/3 G A“): 



behavioural differential equation 


initial value 


even{a)' = even(a") 


even(a)(0) = a(0) 


odd(a)' = odd(a") 


odd{a){0) = a'(0) 


zip(a, py = zip{P, a') 


zip{a, P){0) = a(0) 



The reader should have no trouble convincing himself that these operations 
satisfy the following identities: 

even{a) = (a(0), a{2), a{4 ), . . .) 
odd{a) = (o;(l), o;(3), o;(5), . . .) 
zip{a, P) = (a(0), /3(0), a(l), /3(1), . . .) 



These equalities could in fact have been taken as definitions, but we prefer the 
coinductive definitions instead, because they allow the use the coinduction proof 
principle, as we shall see shortly. 

As in analysis, whether a differential equation has a (unique) solution or 
not depends in general on the shape of the equation. For the three elementary 
behavioural differential equations above (and in fact all other equations that we 
shall encounter in the present paper), the existence of a unique solution can be 
easily established by some elementary reasoning. (For the general case, see the 
remark at the end of this section.) 

Proofs about streams will be given in terms of the following elementary no- 
tion. A (stream) bisimulation is a relation R C x such that, for all a and 
P in A‘^: 



if a R P then 



J (1) a(0) = /3(0) and 
( (2) a' R P' 



(The union of all bisimulation relations is itself a bisimulation, called hisimilar- 
ity.) Bisimulations are used in the formulation of the following coinduction proof 
principle. For all a,P G 



if a R P, for some bisimulation R, then a = P (1) 



In other words, in order to prove a = P, it is sufficient to establish the existence 
of a bisimulation relation R C A‘^ x such that a R p. 

Consider for instance the following three identities on streams, for all a, P G 

1. even{zip{a, P)) = a 

2. odd{zip{a, P)) = P 

3. zip{even{a) , odd{a)) = a 
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Since the following three relations on streams: 

1. {{even{zip{a, (i)), a) | a,/3 G A“} 

2. {{odd{zip{a, (3)) , j3) | a,/3 G A“} 

3. {{zip{even{a) , odd{a)), a) | a G A“} U 
{{zip{odd{a) , even{a")), a') \ a G A^} 

are bisimulations, the above three identities follow, respectively, by coinduction. 

The validity of the proof principle itself can be easily established by proving 
a{n) = (3{n) for all n > 0, by induction on n. More abstractly, both the coin- 
duction proof and definition principle are ultimately based on the fact that the 
set carries a final coalgebra structure, which is given by the combination of 
the operations of initial value and stream derivative: 

ah^(a(0),a') 

See [JR97,Rut00] for general references on coalgebra. For a detailed treatment of 
the final coalgebra of streams, see [RutOl]. The latter paper contains in particular 
detailed results about behavioural differential equations (for streams over the set 
A = IR of real numbers) . 



3 Coinduction and Greatest Fixed Points 

There is yet another, in fact more classical, way of understanding bisimulations 
and the coinduction proof principle. Consider the set 

X A“) = {i? I i? C X A^} 

of binary relations on and the function ^ : V{A‘^ x A“) — >■ V{A'^ x A“) 
defined, for any R C x A^ , by 

^(R) = {(a,/3) I a(0) =/3(0) A {a',!3')&R} 

As an immediate consequence of the definition of bisimulation, we have 

i? is a bisimulation R C <P(R) 

Bisimulation relations are, in other words, post-fixed points of (The char- 
acterisation of bisimulations as post-fixed points goes back, in the context of 
nondeterministic transition systems, to [Par81,Mil80].) Consequently, the coin- 
duction proof principle (1) is equivalent to the following equality, where idj^uj = 
{(a, a) I a G A^}: 



= LH^ I R C <P{R) } 

Since idj^u is itself a (bisimulation and thus a) post-fixed point, it is in fact 
the greatest fixed point of Therefore the above equality is an instance of the 
following well-known greatest fixed point theorem [Tar55] . Let X be any set and 
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let 'P{X) = {V \ V C X} be the set of all its subsets. If 'P : V{X) — >• V{X) is 
a monotone operator, that is, R C S implies 'P(R) Q P{S) for all i? C and 
sex, then W has a greatest fixed point P = 'P(P) satisfying 

P = \J{R\Rep{R)} (2) 

This equality can be used as a proof principle in the same way as (1): in order 
to prove that R C P, for any R C X, it suffices to show that i? is a post-fixed 
point of P, that is, R C P{R). We shall see further instances of this theorem 
(and as many related proof principles) in Section 6. 

4 Timed Data Streams 

We model connectors as relations on timed data streams, which we introduce in 
this section. 

For the remainder of this paper, let D be an (arbitrary) set, the elements of 
which will be called data elements. The set DS of data streams is defined as 

DS = D^ 

that is, the set of all streams a = (o;(0), a(l), a(2), . . .) over D. Let IR_|_ be the 
set of non-negative real numbers, which play in the present context the role of 
time moments. Let be the set of all streams a = (a(0), a(l), a(2), . . .) over 
IR+. Let < and < be the relations on IR“ that are obtained as the pointwise 
extensions of the corresponding (‘strictly smaller’ and ‘smaller than’) relations 
on IR_|_. That is, for all a = (a(0), a(l), a(2), . . .) and b = (&(0), 6(1), 6(2), . . .) in 
IR“, 

a <b = Vn > 0, o(n) < 6(n), a <b = Vn > 0, a(n) < b{n) 

The set TS” of time streams is defined by the following subset of 

TS* = {a G IR“ I a < a'} 

Note that time streams a GTS satisfy, for all n > 0, 

a{n) < a'{n) = a{n+ 1) 

and thus consist of increasing time moments a(0) < a(l) < a(2) < • • • . 

Finally, the set TDS of timed data streams is defined by 

TDS = DSxTS 

and contains pairs (a, a) consisting of a data stream a = (o;(0), o;(l), a(2 ), . . .) 
in DS, and a time stream a = (a(0), a(l), a(2), . . .) in TS. 

As we shall see shortly, connectors will be modelled as relations on timed 
data streams. Each of the arguments of such a relation will be viewed as an 
input or as an output end of the connector that is modelled by the relation. 
Thus the following operational interpretation of a timed data stream (a, a) can 
be given: the time stream a specifies for each n > 0 the time moment a(n) at 
which the nth data element a{n) is being input or output: 
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a: 


a(0) 


a(l) 


a(2) 




a(n) 




a: 


a(0) 


a(l) 


a(2) 




a(n) 





Connectors being relations, there are typically many timings a possible at a 
specific connector’s end, which together with a given data stream a form ad- 
missible timed data streams (a, a), that is, satisfying the connector’s relation. A 
timed data stream (a, a) could therefore also be viewed as a scenario, one out 
of many, for the behaviour of a connector end. Connectors, then, relate various 
such scenarios that together are mutually consistent. 

As we already observed in the introduction, one could have, alternatively and 
equivalently, defined timed data streams as (a subset of) {D x M+)“, because 
of the existence of an isomorphism 

D^xTR%^{Dx M+r , («, a) ^ ((a(0), a(0)), (a(l), a(l)), (a(2), a(2)), . . .) 

We prefer to work with pairs of streams rather than streams of pairs, because 
this will allow us to reason about the data streams and time streams separately, 
which turns out to be of crucial importance for much of what follows. 

We could also have used streams of natural numbers 0,1,2,... for our timings, 
rather than (positive) real numbers. This difference would leave most of our 
model unaffected. Our model with ‘continuous time’, however, is more abstract 
than the model with ‘discrete time’ would be, in the sense that more connector 
equivalences can be proved. (In the world of temporal logic, this observation 
goes back to at least [BRP86].) An example is the equivalence of a fifo 2 buffer 
(with capacity 2) with the composition of two fifoi buffers in Section 7. 

Finally, it is often useful to require time streams a to be not only increasing: 
a < a', but also progressive: for every > 0 there exists n > 0 with a(n) > N. 
This assumption prevents ‘Zeno’ paradoxes, where infinitely many actions take 
place in a bounded time interval. In most of what follows, the progressive time 
assumption is not used, but whenever it is, we shall mention it explicitly. 



5 Basic Connectors: Channels 

The most basic connectors are channels, which are formally defined as binary 
relations 

R C TDS X TDS 

on timed data streams. For such relations, we distinguish between input and 
output argument positions, called input ends and output ends, respectively. This 
information will be relevant for the definition of connector composition in Section 
7. In the pictures that we draw of channels and connectors, input and output 
ends are denoted by the following arrow shaft and head: 



input: h 



output: • • • 
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Here are the (for our purposes) most important examples of channels: 

1. The synchronous channel I ^ is defined, for all timed data streams 

(a, a) and (/?, b), by 

(a, a) I ^ {!i,b) = a = f3 A a = h 

This channel inputs the data (elements in the) stream a. at times a, and 
outputs the data stream /? at times h. All data elements that come in, come 
out again (in the same order): a = (3. Moreover, each element enters and 
exits the channel at the very same time moment: a = b. 

2. The synchronous drain I 1 is defined, for all timed data streams {a, a) 

and (/3,6), by 

{a, a) I 1 {P,b) = a = b 

The corresponding data elements in the streams a and j3 enter the two input 
ends of this channel simultaneously: a = b. No relation on the data streams 
is specified (the data elements enter and ‘disappear’). 

3. The fifo buffer I >- is defined, for all timed data streams (a, a) and 
(A b), by 

{a, a) I ^ {P, b) = a = (3 A a<b 

This is an unbounded fifo (first-in-first-out) buffer. What comes in, comes 
out (in the same order): a = (3, but later: a < b (which is equivalent to 
a{n) < b{n), for all n > 0). 

4. The fifoi buffer I is defined, for all timed data streams (a, a) and 

(/?, b), by 

(a, a) I {(3,b) = a = (3 A a <b < a' 

This models a 1-bounded fifo buffer. What comes in, comes out: a = (3, but 
later: a <b. Moreover, at any moment the next data item can be input only 
after the present data item has been output: b < a', which is equivalent to 
b{n) < a(n + 1), for all n > 0. 

fifof, 

5. The fifok buffer I ^ for any k> 1, is defined, for all timed data streams 

(a, a) and (/?, b), by 

{a, a) I (P,b) = a = (3 A a <b < 

(Recall from Section 2 that denotes the fc-th derivative of the stream 
a.) This models a /e-bounded fifo buffer, generalizing the fifoi buffer above. 
What comes in, comes out: a = (3, but later: a<b. Moreover, at any moment 
the fcth-next data item can be input only after the present data item has 
been output: b < (which is equivalent to b{n) < a{n + k), for all n > 0). 
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fifo{x) 

6. Let X € D he any fixed data element. The fifo{x) buffer I ^ is defined, 

for all timed data streams (a, a) and (/?, b), by 

fo f ^ 

(a, a) I ^ (/3, b) = /3(0) = x A a = (3' A a <b' 

This channel behaves precisely as the unbounded fifo buffer above, but for 
the fact that, initially, it contains the data element x, which is the first 
element to come out: /3(0) = x (at time 6(0)). 



6 More Channels and the Merge Connector 

The definitions of the basic (channel) connectors so far have been, mathemat- 
ically speaking, fairly straightforward. Next, we introduce some further basic 
connectors, including the merge operator, using greatest fixed point definitions. 
As we saw in Section 3, each of these definitions will come together with its own 
proof principle, similar to the coinduction principle in Section 2. 



asyndr 

1. Tne asynchronous drain I 1 inputs any two streams oi data items at its 

two input ends, but never at the same time (in contrast to the synchronous 
drain of Section 5). It is defined, for all timed data streams (a, a) and (/3, 6), 
by 

(a, a) — I (/3, 6) = a to 6 



where toC TS x TS is a, relation on time streams, given by 



a to 6 = a(0) yf 6(0) A 



f a' to 6 if a(0) < 6(0) 
( a to 6' if 6(0) < a(0) 



More precisely, to is defined as the greatest fixed point of the following mono- 
tone operator, : V{TS x TS) — >■ V{TS x TS), defined for R C TS x TS, 
by 






{(a,6) I a(0) yf 6(0) A 



J (o', b) G Rif a(0) < 6(0) , 
I (a, 6') G i? if 6(0) < a(0) ^ 



Thus to = 5 /p('?m)- a i>a-bisimulation is a relation R Q TS x TS with 
R ^ixi(.R)- There is, as an immediate consequence of (2) in Section 3, the 
following ixi- coinduction proof principle. For all time streams a and 6: 



if a i? 6, for some to-bisimulation R, then a to /3 (3) 



For an example of a proof by to-coinduction, see the end of the present 
section. 
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2. The connector merge is a ternary relation M having two input ends and 
one output end, and is defined, for (a, a), {(3, h), (7, c), by 




= M{{a,a), (P,b), (7,0)) 
= a(0) 6(0) A 



J a(0) = 7(0) A a(0) = 
\/3(0)=7(0) a 6(0) = 



c(0) A M{{a',a'), (P,b), (7', c')) if a(0) < 6(0) 
c(0) A M{{a,a), {(3’,b'), (Y,c')) if 6(0) < a(0) 



This connector merges the two data streams a and l3 on its input ends 
into a stream 7 on its output end, on a ‘first come first served’ basis. It 
inputs one data element at a time: a(0) yf 6(0). The data element that is 
handled first, say o;(0) at time o(0) < 6(0), is the first element to come out: 
q;(0) = 7(0), at exactly the same moment: a(0) = c(0). After that, the 
connector handles the remainder of the streams in the same manner again: 
M((a',a'), (/?, 6), (Similarly for the case that /3(0) is handled first, 

at time 6(0) < a(0).) The relation M can be formally defined as the greatest 
fixed point of a monotone operator <Pm defined, for any R C TDS x TDS x 
TDS, by 



'pM{R){{a,a), (/3,6), (7,0)) 

4=> a(0) yf 6(0) A 

J a(0) = 7(0) A a(0) = c(0) A R{{a' , a'), (/3, 6), (7', c')) if a(0) < 6(0) 
|/3(0)=7(0) a 6(0) = c(0) a R{{a,a), {13', b'), {i,c')) if 6(0) < a(0) 



An M -bisimulation is a relation R with R C <1>m{R) and we have a, M- 
coinduction proof principle: if R{{a,a), (P,b), (7,0)), for some M-bisimula- 
tion R, then M{{a,a), {(3,b), (7,0)). 

Under the assumption that our time streams are progressive (defined at the 
end of Section 4), the merge operator is fair: from both input ends, infinitely 
many data elements will be input. 

3. The lossy synchronous channel I — is defined, for all (a, a) and (f3,b), 
by 

(a, a) I (f3,b) = 



a(0) < 6(0) A 



j a(0) = P{0) A (o', o') (/?', 6') if o(0) = 6(0) 

^ (o', o') I — {(3,b) if 0(0) < 6(0) 



This channel passes an input data element instantaneously on as an output 
element: a(0) = /3(0), in case o(0) = 6(0); after that, it continues with the 
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remainder of the streams as before. If a(0) < 6(0), that is, if it is too early for 
the output end of the channel to be active, the input data element a(0) is 
simply discarded (lost), and the channel proceeds with {a', a') on its input 
and {(3, h) on its output end. As before, this channel can be formally defined 
as the greatest fixed point of a monotone operator on the set of binary 
relations on timed data streams. 

Next, we illustrate the use of the coinduction proof principles that were intro- 
duced above. A look at the definition of M and one moment’s thought suffice to 
see that, for all timed data streams {a, a), (l3,b), (7,c), 

if M{{a, a), {/3, b), (7, c)) then a ex 6 (4) 

since the merge connector never inputs two data items at its two input ends at 
the same time. But how to prove it formally? The answer is provided by what 
we have called cx-coinduction above. Consider the following relation: 

R = {{k, 1) I 3k, X, fx, m : M{{k, k), (A, 1), (/i, m)) } 

Using the definition of M, it is straightforward to prove that this is a ix- 
bisimulation. As a consequence of (3), i? C x, which implies (4). For a sec- 
ond example, consider the following equivalence, for all timed data streams 
(a,a),(/3,6),(7,c): 

M((a,a), (P,b), {-f,c)) M{{P,b), {a, a), (7,0)) (5) 

The implication from left to right (and thus the equivalence) follows by M- 
coinduction from the trivial observation that 

S = {((a, a), {P,b), (7,c)) | M{{(3,b), {a, a), (7,0))} 

is an M-bisimulation, which implies S C M. 

7 Composing Connectors 

Connectors are relations and their composition can therefore be naturally mod- 
elled by relational composition. For instance, the composition of two copies of the 
synchronous channel yields the following binary relation, defined for all timed 
data streams (a, a) and (/3, 6), by 

(a, a) I ^ o I ^ (/?, b) 

= 3(7,c): (a, a) I ^ (7, c) A (7,0)1 ^ (/3, 6) 

= 3(7, c): (a = 7 A a = c) A (7 = /3 A c=b) 

(which happens to be equivalent to {a, a) I ^ {(3,b) =a = j3/\a = b). 

Composition essentially does two things at the same time: the output end (ar- 
gument) of the first connector is identified with the input end of the second. 
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and the resulting ‘mixed’ end is moreover hidden (encapsulated) by the existen- 
tial quantification. We shall also use the following picture to denote connector 
composition: 

(a, a) I ^ 3 ( 7 , c) I ^ (/3, b) 

Here 3 ( 7 , c) is used to indicate that this is an internal end of the connector, 
which is no longer accessible (for further compositions) from outside. The two 
aspects of connector composition: identification and hiding, could, and for the 
full version of Reo actually should, be separated. But for the basic examples we 
shall be dealing with, this type of composition is sufficient. 

Note that the identification of connector ends, which are timed data streams, 
includes the identification of the respective time streams, thus synchronising the 
timings of the two connectors. 

The general definition of the composition of an arbitrary n-ary connector R 
and an m-ary connector T, is essentially the same. One has to select a number of 
(distinct) output ends and input ends from R, and equal numbers of input ends 
and output ends from T, which then are connected in pairs in precisely the same 
manner as in the example above. To describe this in full generality, one would 
have to be slightly more formal and explicit about the (input and output) types 
of argument positions. Although not very difficult, such a formalisation would 
not be very interesting. Moreover, it will not be necessary for the instances of 
connector composition that will be presented here. In all cases, the relevant 
typing information will be contained in the pictorial representations with which 
connector compositions will be introduced. 

We shall also allow an output end to be connected to several input ends at 
the same time, to each of which the output is copied. Here is an example, in 
which the output end of a synchronous channel is connected to the input ends 
of two other synchronous channels: 

{a, a) I ^ 3((5, d) 1 ^ (/?, b) 



(7,c) 

= 3((5, d) : {a = 6 A a = d) A {S = f3 A d = b) A (<5 = 7 A d = c) 

= a = /3 = 7 A a = b = c 

The connection of several output ends to one and the same input end, can be 
modelled by means of the merge operator introduced in Section 6 . 

Finally, it is relevant to note that nothing in the above prevents us from 
connecting an output end to an input end of one and the same connector, simply 
by connecting them to the input end and the output end of a synchronous 
channel. In other words, we have in passing included the possibility of feedback 
loops into our calculus. 

Here are various examples of composite connectors (including examples of 
feedback) built out of a number of basic connectors. As usual, (a, a), {f3, b), ( 7 , c) 
are arbitrary timed data streams. 
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1. The composition of two unbounded fifo buffers yields again an unbounded 
fifo buffer: 

fifo fifo fifo 

I ^ o I ^ = I ^ 



because of the following equivalences: 



(a, a) I ^ o I ^ (/?, b) 



. .fifo \ / a i.\ 

= (a, a) I ^3(7 ,c)| ^ (P,b) 

= 3(7, c): 0 = 7 A a<c A 7 = /? A c<b 
= a = j3 A a<b 

= {a, a) 1-^^ {13, b) 

2. The composition of two fifoi buffers yields a fifo2 buffer: 

fifo I fifo I fifo 2 

I ^ o I ^ = I ^ 



because 



, > fifoi fifOl 

{a, a) I ^ o I 5- 



if3,b) 



fifo-y Hfo-I 

= (a,a)^3(7,c)^(/3,6) 

= 3(7,c): a = 7 A a<c<a' A 7 = /? A c<b<c' 
a = P A a < b < a" = [since c < a' implies c' < a”] 

= {a, a) (/3, b) 



Given a = P and a < b < a" , the converse of the above implication can be 
proved by defining 7 = 0: and 

c(n) = 1/2 X ( max{a(n), b{n — 1)} + min{a(n + 1), b{n)} ) 

for all n > 0 (where b{n — 1) = 0 for n = 0). 

3. Consider the following composition of three synchronous channels: 

(a, a) I ^o| ^ (P,b) = a = /3 = 7 A a = b = c 



(7,c) 



This connector can be viewed as a ‘take-cue’ regulator: any time a data item 
is taken from 7 (by some future context), that same data item is allowed 
to flow from left to right. This constitutes one of the most basic examples 
of what could be called exogenous coordination, that is, coordination from 
outside. 
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4. The following connector is a variation on the previous one, in that the lower 
channel now is a synchronous drain: 

(a, a) I ^ o I ^ iP,b) = a = f3 A a = b = c 

syndr 

(7.c) 

It is a ‘write-cue’ regulator that regulates the flow of data items from left to 
right by inputs or writes on the lower channel end. Note that what is being 
input there is irrelevant. What matters is that such inputs are synchronised, 
through the synchronous drain, with both the channels above: a = b = c. 

5. With four synchronous channels and one synchronous drain, the following 
barrier synchroniser can be constructed: 

(a, a) I ^ o I ^ iP,b) = a = f3 A j = 6 A a = b = c = d 

syndr 

(7, c) I ^ O I ^ {S, d) 

The synchronous drain in the middle ensures that data items pass through 
the upper and lower channels simultaneously. 

6. Here is a simple example of a feedback loop, consisting of one (unbounded) 
flfo buffer containing an initial data element x G D, and two synchronous 
channels: 



fifo(x) 




= 3 (/ 3 , 6 ) 3(7, c) I ^(a,a) 



= 3(/3,&)3(7,c): 
A (7 = a A 
= 3(/3,&)3(7,c): 
= 3(/3,&)3(7,c): 
= a = {x,x,x, . . 



(7(0) = X A /3 = 7^ A b < c') A (7 = /? A c= b) 
c = a) 

a = l3 = j A a = b = c A 7(0) = x A 7 = 7^ A c< c' 
a = 13 = ^ A a = b = c A j = (x,x,x, . . .) 

) 



For the last but one equivalence, note that (7(0) = xA^ = 7') is equivalent to 
7 = (x, x,x , . . .); moreover, the inequality c<c' is redundant, because c is by 
assumption a time sequence and hence satisfies this inequality by definition. 
The behaviour of this connector is thus pretty much what it should be. It 
outputs perpetuously the data element x. Note that there are no constraints 
on the time stream a {= b = c). The only requirement is that it is indeed a 
time stream, that is, satisfles a < a'. 
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7 . Let X & D he again some fixed data element. The following connector acts 
as a sequencer on its two connector ends: 



. . syndr 

(a, a) I 1 o 



fifo 



fifo(x) 






. . syndr . . 

= (a, 0)1 ^3(7 ,c) 







fifo(x) 

= 3{j,c)3{S,d) : a = c A d=b A 

(j = S A c< d) A (7(0) = X A 'y' = S A d < c) 

= 3{j,c)3{S,d) : j = S = {x,x,x, . . .) A c=o A d=b A {c<d<c') 
= a <b < a' 



Thus, arbitrary data elements can be input alternatingly from the left and 
the right channel ends, at times 

o(0) < 6(0) < o(l) < 6(1) < • • • 

For future reference, we introduce the following notation for the sequencer 
connector: 



(a, a) I ^ (/?, 6) = a <b < a' 



(6) 



8. One can construct a connector that serialises any number k of channel ends 
by combining k + 1 sequencers. For instance. 




seq 



= {a < b < a ) A {a < c < a) A {b < c <b') 
= a<b<c< a' 



8 Connector Eqnivalence 

In Section 7 , we already saw some elementary examples of connector equivalence, 
such as: 
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fifo fifo 

I ^ O I s 



= h 



fifo 



fifOl fifo I 

I ^ O I ; 



= h 



fif°2 



Below we present some further, slightly less elementary examples. 
1. Recall the definition of the sequencer in Section 7: 

fifo 



, . seq , ^ , X , X syndr 

(a, a) I 1 (/3, b) = (a, a) I 1 o 



= a <b < a' 






fifo(x) 



(where x G D is some fixed data item). Here is an alternative way of con- 
structing the sequencer, now with a 1-bounded fifo buffer and a synchronous 
drain: 

, , fifoi syndr 

(a, a) I ^ o I 1 (/3, b) 

, . fifOl syndr , . 

= (a, a) I ^3(7,c)| \ (P,b) 

= 3(7, c) : (a = 7 A a < c < a) A c = b 
= a <b < a' 

= {a, a) 1-^^ {P, b) 

2. Conversely, a 1-bounded fifo buffer can be constructed using two synchronous 
channels, a sequencer, and an unbounded fifo buffer: 




(a, a) (/?, b) = {a, a) 



because we have the following equivalences: 

fifo 

{a, a) I ^ o o I ^ (/3, b) 



iP,b) 



= {a, a) 1 




3(,5, d) h 



iP,b) 



= 3 ( 7 . c), 3(5, d) : {a, a) = (7, c) A (5, d) = {P, b) A 
(7 = 5 A c< d) A c< d < c') 

= a = P A a <b < a' 

= (a, a) I ^ {P, b) 
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3. Recall the definition of asynchronous drain in Section 6: 

asyndr , . 

[a, a) I 1 \/3, 6) = a to 6 

Here is another way of constructing the asynchronous drain, using the merge 
connector and a synchronous drain: 




= 3(7,c) : M((a,a), (/3,6), ( 7 ,c)) A c=c 
= a to 6 

asyndr 

= {a, a) I 1 (/3, b) 

For the middle equivalence, the implication from left to right follows from (3) 
in Section 6, which was proved by to-coinduction. The converse implication 
can be proved in a similar fashion, using M-coinduction. 

4. Next we look at a connector that is built from two unbounded fifo buffers, 
the sequencer, and the merge operator: 




Using the coinduction proof principle, we shall prove that this connector has 
the following behaviour (with the operations zip, even and odd as in Section 
2 ): 

zip{a,f3)=^ A a < even{c) A b < odd{c) 

The proof consists of the following sequence of equivalences: 




= 3((5, d) 3(e, e) : (a = <5 A a < d) A (/3 = e A b < e) A {d < e < d') 
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A M{{6,d), (e,e), (7,0)) 

= 3d,e: a<d A b<e A {d < e < d') A M{{a,d), (P,e), 

= 3d, e : a < d A b < e A zip{a, P) = ^ A zip{d, e) = c 
[using (7) below] 

= 3d, e : a < d A b < e A zip{a, /3) = 7 A d = even(c) A e = odd{c) 
= zip{a, /?) = 7 A a < even{c) A 5 < odd{c) 

We have used the following equivalence, which will be proved by coinduction: 

{d<e<d') AM{{a,d), (/3,e), (7,0)) (7) 

<t7 {zip{a, /?) = 7 A zip{d, e) = c) 

For the implication from left to right, define the following relation on streams: 

R = {(zip(K, A), pi) I 3k,l,m : {k<l<k') A M((/t, fc), (A, I), (/r, m))} 

We show that i? is a bisimulation. Consider a pair {zip{K, A), pt) in R, with 
corresponding time streams k,l,m. Because k < I it follows from 

M{{K,k), {X,l), {pi,m)) 

that pi{0) = At(0), and since k( 0) = zip{n, \){0), this proves the first of the 
two bisimulation conditions. Next consider the pair of derivatives 

{zip{K, Xy , p') = {zip{X,n'),p') 

It follows from the definition of M that the latter pair is again in R, since 

{k<l<k') A M{{n,k), {X,l), {p,m)) 

^{l<k'<l') A M{{n',k'), {X,l), {p',m')) 

= {I <k' <l') A M{{X,l), {n',k'), {p' ,m')) [by equivalence (5)] 

This proves that i? is a bisimulation. Assuming now {d < e < d') and 

M{{a,d), (P,e), (7,0)) 

zip{a, /3) = 7 follows by coinduction. In the same manner, one shows zip{d, e) 
= c. This proves the implication from left to right of equivalence (7). The 
implication from right to left can be proved along similar lines, using M- 
coinduction. 



9 Protocol Verification 

Our calculus of component connectors also allows the formulation and formal 
verification of communication protocols. We present a simple example, taken 
from [BSOl, pp. 29-36]. It consists of an (unbounded fifo) lossy buffer composed 
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with a driver that corrects the lossiness of the buffer. Below we specify both con- 
nectors, and prove that their composition is equivalent to an ordinary (correct) 
unbounded fifo buffer. 

Let (a, a), {(3, b), and (<5, d) be timed data streams over an arbitrary data set 
D and let ( 7 , 0 ) be a timed data stream with 7 G {0, 1}“. We define the lossy 
buffer as a ternary relation L on timed data streams with one input end and two 
output ends as follows: 



{I3,b)y 




(6,d) 

il,c) 



= L{{P,b), {5,d)) 

[ 7 ( 0 ) = 1 A 5{Q)=m A L((/3',5'), (Y,c'), {5' ,d')) 
= b<c A b<d A <V 

[ 7 ( 0 ) = 0 A L{{P',b'), (Y,c'), (S,d)) 



This connector inputs data items at the input end l3. For every data item that 
is input, there are two possible scenarios: ( 1 ) the data item is stored success- 
fully and is output (at some later moment) at the upper output end S together 
(not necessarily simultaneously) with a success signal 1 along 7 , after which the 
connector proceeds as before with the remainder of all streams involved. Or: 
( 2 ) storage of the data item fails, no data item is output along the end /?, a 0 
signalling the failure is output along 7 , and the connector proceeds as before, 
now with {P',b') and ( 7 ',c'), but with (S,d) unchanged. 

It follows from the definition of the lossy buffer that eventually some data 
item gets successfully stored and output. In other words, there exists n > 0 with 
7 (n) = I. In order to prove this, assume L{{P, b), ( 7 , c), {6, d)) and suppose that 
7 (n) = 0, for all n > 0. Then 

L((Y”\ 6 (”)), ( 7 ^”\c(")), {6,d)) 



for all n > 0 (recall that the superscript (n) stands for the n-th derivative). As a 
consequence, 5^”^(0) = b{n)<d{0), for all n. Under the assumption that our time 
streams are progressive (cf. the end of Section 4): for any N > 0 there exists 
n > 0 with 6 (n) > N, this is a contradiction. Therefore, there exists n > 0 with 
7 (n) = 1. We see that, somewhat surprisingly, the fact that all our streams are 
infinite and the assumption that time streams are progressive, together imply 
here the right type of fairness (or liveness) behaviour. 

Next we turn to the driver, which has two input ends and one output end, 
and is defined as the following ternary relation D: 
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= D{{a,a), {(3,b), (7,0)) 

= a = b A a <c<a' A /3(0) = a(0) A 
J7(0) = l A D{{a',a'), {(3\b'), (Y,c')) 

\7(0) = 0 A D{{a,a'), {f3',b'), (Y,c')) 

The driver inputs data items at a and outputs them at l3. Before proceeding 
with the next data item, it checks its input at 7. If 7(0) = 1 then the last 
data item that has been output is considered to have been handled correctly 
(by the lossy buffer in the composition below), and D proceeds as before with 
the remainder of all streams involved. If 7(0) = 0, however, something has 
gone wrong (the buffer has lost the data item), and D sends the data item 
again. This is modelled here by D{{a,a'), (/?',&'), (7',c')), in which all streams 
have progressed to their derivatives but for a, which remains unchanged. As a 
consequence, o;(0) is (again) the next data item that D will output (but note 
that the time stream a has changed into a'). 

Composing the driver and the lossy buffer as below yields a connector that is 
equivalent with the (non-lossy) unbounded fifo buffer: for all timed data streams 
(a, a) and (<5, d), 



(a, a) I D L — ^ {S,d) = (a,a)h^{S,d) 

'^3(7,c) 

For the implication from left to right, we have to show that a = S (and a < d). 
To this end, define the following relation on data streams: 

R= {{a,S) I 3a, d, (/3, 6), (7, c) : 

D((a,a), (/3,&), (7,c)) A L((/3, 6), (7, c), (5, d))} 

In order to prove that i? is a bisimulation relation, consider a pair {a,S) in R 
with ‘witnesses’ a, d, {f3, b), (7, c) such that 

D{{a,a), (f3,b), (7,0)) and L{{j3,b), (S,d)) 

Let n be the smallest natural number such that 7(n) = 1 (which exists by the 
remark above). It follows that 

Z?((a,a(")), (/?("),&(")), (7^"),c("))) A L((Y"), (7^"),c(")), (<5,d)) 

Together with 7(”)(0) = 7(n) = 1, this implies a(0) = /3(”Y0) = <5(0) and, 
moreover, 

i3((a',a(”+i)), (7(”+i),c(”+i))) A 
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Thus, (a', S') G R, which concludes the proof that i? is a bisimulation. It now 
follows by coinduction that a = 5. {A minor variation on this argument proves 
that a <d.) 

For the implication from right to left, choose (/3, h) = (a, a), 7 = (1, 1,1,.. .), 
and c = 1/2 X (a + o') (in a hopefully self explanatory notation). It is now a 
straightforward proof by {D- and L-)coinduction to show that 

D{{a,a), {/3,b), and L{{P,b), ( 7 , 0 ), {S,d)) 

10 Conclusion 

We have provided a simple and transparent semantical model for Reo, in which 
connectors are defined as relations on timed data streams. We use coinduction 
to reason about both time streams and data streams, leading to some initial 
formal results on expressiveness and connector equivalence in Reo. Our work 
on Reo and this model is on-going. One of the first questions to address is 
to decide what set(s) of basic channels and connectors to choose as the basis 
for a connector calculus (or calculi). Another plan is to look at more instances 
of connector protocol verification. On the basis of the example of Section 9 
(and other examples not included in the present paper, such as the alternating 
bit protocol), we expect that the present model will be competitive with both 
traditional dataflow networks and with process algebra, by combining the best of 
those two worlds. Like data flow and unlike process algebra, Reo is channel-based 
and models the (communication) topology of connectors explicitly. Like process 
algebra and unlike data flow, (our model of) Reo is a calculus in which complex 
connectors are compositionally built out of simpler ones. Moreover, unlike data 
flow, the model for Reo that we presented is both simple and formal enough 
to allow actual verification. And unlike process algebra, there is no need to use 
nondeterministic transition systems and computationally complicated notions 
such as weak or branching bisimulation. Instead, streams and coinduction are 
all that is needed. 
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Abstract. In this paper, after introducing the problem and a brief sur- 
vey of the current approaches, we look at the consistency problems in 
the UML in terms of the well-known machinery of classical algebraic 
specifications. Thus, first we review how the various kinds of consistency 
problems were formulated in that setting. Then, and this is the first con- 
tribution of our note, we try to reduce, as much as possible, the UML 
problems to that frame. That analysis, we believe, is rather clarifying in 
itself and allows us to better understand what is new and what instead 
could be treated in terms of that machinery. We conclude with some 
directions for handling those problems, basically with constrained mod- 
elling methods that reduce and help precisely individuate the sources of 
possible inconsistencies. 



1 Introduction 

Few years after its introduction, the UML has become, for good and bad, a 
“lingua franca” for an object-oriented support to software development. Among 
the many problems raised by its use, the consistency of UML artifacts/documents 
has emerged as crucial and challenging. Indeed, it has attracted in recent years, 
especially after the year 2000, a significant amount of work; that interest is also 
witnessed by the organization of a workshop within the conference <CUML» 2002 
on “Consistency Problems in UML-based Software Development” [1]. 

Within that context “consistency” bears roughly the same meaning of logi- 
cal consistency; indeed the UML artifacts/documents are organized in “models” 
that correspond to logical specifications. However the nature of those artifacts 
is, at least apparently, so different from the traditional specifications used in the 
formal method community that even the definition of consistency is somewhat 
controversial. Among the sources of difficulty we can mention: the nature of the 
notation, that is visual and not directly defined adopting inductive techniques; 
the UML multiview approach, which describes a system, at some level of ab- 
straction, as a collection of sub-descriptions dealing with possibly overlapping 
aspects; the use of UML artifacts throughout a software development process 
typically consisting of many phases, in which the same kind of document may 
have different meanings. With Engels et al. [18], we can say that “Altogether the 
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consistency conditions depend on the diagrams [constructs] involved, the devel- 
opment process employed, and the current stage of the development. ” 

Confronted with the consistency problems in the UML, first during some 
work on UML semantics done within the CoFI Initiative [30] and now in the 
development of a UML-based method [5,6], because of our long acquaintance 
with algebraic development techniques, we have been tempted to look at them 
trying to borrow the classical frame of logical-algebraic specifications, also for 
understanding and isolating the possible novelties. Indeed, in that framework 
one could define concepts and problems in a rather rigorous way, though of 
course that does not mean to solve all consistency problems, many of them being 
of uncomputable nature. However, among the many related valuable research 
attempts at dealing with consistency in UML (consider, e.g., [1] also for further 
references) that view is not explicit; though it appears to be underlying some 
treatment, notably in [18], where some rather clean informal definitions have a 
clear logical origin. The analysis in our paper will help understand why most 
of the related papers departs from the logical-algebraic approach; indeed the 
relationship is not obvious at all. 

The purpose of this paper is first of all informative and exploratory, to es- 
tablish a link between the work and terminology in the UML world and in the 
logical-algebraic setting. To achieve that purpose we first present extensively the 
origin and the nature of the consistency problems in the UML in Sect. 3 and 
briefly review the current terminology and research directions in Sect. 4. Then 
in Sect. 5, avoiding many technicalities, in a simple language adopting some con- 
ceptual object-oriented notation (a subset of UML), we recall the basic setting 
of logical-algebraic specifications; and, in Sect. 6, we propose a view of the UML 
setting in terms of the classical concepts of the logical-algebraic setting. On the 
basis of the new setting, we then propose, in Sect. 7, a first attempt at exploiting 
and learning from the outlined correspondence to deal in practice with consis- 
tency issues in the UML framework. We will use in the paper a simple UML 
model as running example, presented in Sect. 2. 

Here, by UML we intend UML 1.3 as presented by the official standard spec- 
ification version 1.3, [37]; while [34] is the reference manual (also if for previous 
version 1.1) and [21] is a short introduction with examples. A warning for those 
acquainted with the current literature on the UML consistency: we do not intend 
here to pursue the so called translational approach, by which one converts the 
UML or parts of it to some semantically well-defined formalism and then handles 
consistency by translation. Our attempt is to stay at the UML level trying to 
individuate at that level the correspondence with a logical-algebraic setting. For 
a classical algebraic approach we mention, e.g., the one in [38], for a much more 
updated and comprehensive view see [3], and the CoFI initiative [30]. 

2 UML Model Example 

The UML model presented in this section describes an abstract design of a system 
for handling the order invoicing in a company. This model includes a UML class 
diagram plus associated constraints introducing the elements used to model the 
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Class invariants 

context S: Stock inv: S.qu >= 0 
context I: Invoicer inv: l.stk. previous = {} 

Operation pre/postconditions 
getProduct(p:Product,q: Integer) 
pre: self.quantity(p) >= q 

post: self.quantity(p) = self.quantityOpre(p) - q 

add Product(p:Product,q: Integer) 

post: self.quantity(p) = self.quantityOpre(p) + q 

Fig. 1. UML Class Diagram with Constraints. 



get Prod uct(p: Prod uct,q: Integer) method: 
if (seif.pr = p) {seif.qu = seif.qu - q} 
elseif (seif.others <> {}) {seif.others. getProduct(p,q)} 
else {null} 

quantity(p: Product): Integer method: 
if (seif.pr = p) (return seif.qu} 

elseif (seif.others <> {}) (return seif.others. quantity(p)} 
else {return 0} 

Fig. 2. Methods Associated with Operations of the Passive Class Stock. 



invoicing system (Fig. 1), some methods defining some operations of the passive 
class Stock (Fig. 2), a statechart defining the behaviour of the instances of the 
active class Invoicer (Fig. 3), and a UML sequence diagram, describing how three 
objects cooperate to successfully invoicing an order (Fig. 4). 

3 Consistency in the UML: The Problem 

Consistency is a heavily overloaded word in the computing field, and used in a 
particular way in the UML community, thus we first try to clarify what it means. 
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ords = Order.alllnstances->select{status = pending) 
do 



J ^ 

Invoicing 
^ 




do 

[ ords->notEmpty ] / 

ords = ords->first; 

if(o.quant=< stk.quantity{o.what)) 

{ stk.getProduct(o.quant,o.what); 
mail.sendlnvoice(o);}; 
ords = ords->excluding(o); 



Fig. 3. Statechart Defining the Behaviour of the Active Class Invoicer. 




Fig. 4. Sequence Diagram Showing a Successful Order Invoice. 



A first informal approximation is in the following statement from [18]: 
“During the development process artifacts representing different aspects of 
the system are produced. The artifacts should he properly related to each other 
in order to form a consistent description of the developed system. ” 

There are two main reasons to have many different artifacts describing the 
same system: 

multiview description techniques: at some level of abstraction a system is 
described as a collection of sub-descriptions dealing with different, possibly 
overlapping, aspects; 

phased development process: the system is developed throughout different 
phases and iterations, each one producing a new more refined description of 
the system. 

In the words of Engels et al. [18] “Altogether the consistency conditions depend 
on the diagrams [constructs] involved, the development process employed, and 
the current stage of the development. ” 

A terminological clarification: in the world of the object-oriented software 
engineering a system description is called a model (e.g., UML models), whereas 
in the world of the formal methods, a system description is called a specification 
(e.g., logical-algebraic specifications). We will use the terminology consistent 
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with the current use in any case, but the reader should recall that model and 
specification are essentially synonyms. 

Notice that a single artifact produced using some notation may be unable to 
correspond to some coherent description of a system (for example, because it is 
ill-formed); in the UML world the word inconsistent is used also in these cases. 
However, we do not use the word inconsistent, as it is often done also in the SE 
literature (see, e.g., [18] where CSP processes ending in deadlock are considered 
to be inconsistent), to qualify descriptions which are well-defined, but describe 
senseless or useless systems (think for example, of an imperative program with 
a nonterminating loop or of a process ending in deadlock) . 

In the next two subsections we will illustrate in more detail how inconsistency 
may arise in connection with the two reasons mentioned above (3.1 and 3.2); 
while in subsection 3.3 we point out some aspects of the nature and the current 
status of the visual notation used, which may complicate and influence also the 
treatment of the consistency of a single diagram. 

3.1 Multiview Descriptions 

We speak of a multiview description of a system (or of a software artifact) when- 
ever it consists of a collection of sub-descriptions (views) dealing with different, 
possibly overlapping, aspects of the system. For example, we can have the fol- 
lowing views: 

static view: the types of the entities building the system; 

behaviour view: the behaviour of the various entities building the system; 

interaction view: how the entities building the system interact among them; 



The UML model of Sect. 2 shows a simple concrete case of a multiview 
description. Indeed, Fig. 1 is the static view. Fig. 2 and 3 are two behaviour 
views, and Fig. 4 is an interaction view. 

Notice that a description/model/specification split in many different views 
is not just any description/model/specification modularly decomposed or struc- 
tured; indeed in the second case the structure/decomposition may follows the 
structure of the described system; think, e.g., of a description of a distributed 
system split into the description of the composing processes. 

Multiview models have nice advantages but also some problematic aspects. 
First of all, splitting a model of a system in several views allows to decompose 
it in chunks having a sensible size, and this is quite relevant in the case of visual 
models. Moreover, each single view focuses on a different aspect, and this is use- 
ful to analyze and to understand the various features of the modelled system. 
The splitting of a model into views allows also to split the work of producing 
such model among different persons and/or along the time. The less nice aspect 
of a multiview model is that the consistency of the overlapping submodels, cor- 
responding to the various views, has to be guaranteed. The example of Sect. 2 
shows many cases where the views are overlapping, and so where possible incon- 
sistencies may arise, e.g.. 
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— the description of the class Invoicer in the static view of Fig. 1 (operations, 
attributes, constraints) must be coherent with the behaviour of the same 
class as presented in Fig. 3; 

— the behaviour of class Invoicer depicted in Fig. 3 must be coherent with the 
role played by its instances in the collaboration depicted in the interaction 
view of Fig. 4; 

— the method associated with the operation getProduct in Fig. 2 must be co- 
herent with the pre/postconditions associated with the same operation in 
Fig. 1. 

Another problematic aspect is that when a multiview model is refined to 
a less abstract one, each submodel cannot be refined independently; think for 
example, of refining an object of class Invoicer into several cooperating objects, 
in such case three views of the model must be refined in a coherent way. 

3.2 Phased Development Process 

In the software engineering world it is now well established that the development 
process of a software artifact should be organized in phases and that each phase 
is organized in various activities, where some of them may be iterated several 
times. Furthermore, many models^ of such process have been proposed, each one 
characterized by its own phases and tasks to be done in each of them. Among 
the most important, of very different nature, from general guidelines to formal 
standards, we have 

— the basic old one waterfall, characterized by four phases: capture and speci- 
fication of the requirements, design, coding and maintenance; 

— the official standard of the German public administration V-Model; 

— the most known one based on the UML RUP [31], quite heavy; 

— the new Agile methods family (such as Extreme-Programming^). 

Whatever software process development model we consider, the various phases 
and iterations require to produce different artifacts describing the system un- 
der development, which should be coherent among them; coherent means that 
they cannot present contradictory statements about an aspect of the system. In 
general such artifacts are related by particular relationships, such as realization, 
refinement, implementation, .... 

Taking as example the trivial waterfall model, then the design must realize 
the requirements expressed by the requirement specification, and the code should 
be a correct implementation of the design specification. 

We have also that in the UML world the models used in different phases 
may use different UML constructs (recall that UML has been defined by putting 
together many different notations). For example, we may have use case diagrams, 
sequence and collaboration diagrams for the requirements, and class diagrams 
plus statecharts and method definitions for the design. 

^ Here we have another occurrence of the word model, not to be confused with the 
UML models. 

^ http : //www.ExtremeProgranffliing. org/ 
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3.3 The UML Notation 

In the UML community the word consistency is used also w.r.t. a single di- 
agram, with the general idea of the diagram being statically well-formed and 
having one precise meaning. These aspects are now quite standard and non- 
problematic for usual programming and specification languages (see, e.g., Java 
or SDL), and also in the case of a quite refined syntax and sophisticated seman- 
tics. Consider, for example, CASL [2] a logical-algebraic specification language 
that offers a powerful combination of ISO-Latin characters, subtyping, mix-fix 
operation syntax, and overloading to write quite readable textual specifications, 
and a sophisticated formal semantics for partiality, subsorting and architectural 
specifications. 

But, UML is a visual language, and so its syntax is not (and cannot be) 
given by the standard techniques, such as BNF and abstract syntax trees or 
terms built by combinators. Thus even syntactic correctness does pose new and 
relevant problems. The chosen technique is to use metamodelling to present the 
abstract syntax plus the associated visual notation (concrete syntax) given apart 
for each abstract construct. Presenting the abstract syntax (the chapter of the 
official UML specification concerning the abstract syntax is strangely titled Se- 
mantics) in a metamodelling style means to give a (meta) class diagram, where 
the classes (or better metaclasses) correspond to the various constructs, their at- 
tributes and the relationships among them (including aggregation/composition) 
to the elements characterizing such constructs; and specialization has the obvious 
meaning. The conditions corresponding to the properties guaranteeing the static 
correctness (well-formedness) are given as constraints attached to such (meta) 
class diagram. However, due to its dimension, the (meta) class diagram defining 
UML is split in several parts, each one concerning some particular construct 
(e.g., state machines) and presented in a separate chapter of the UML official 
specification [37] together with the relative constraints. Thus, the constraints 
consider always a unique construct (e.g., state machines: there is a unique initial 
state, there is no transition leaving a final state), and there are no constraints 
considering a whole model made by several constructs. So nothing is said about 
the mutual relationships among the constructs building a model (e.g., a call event 
appearing on a transition of a state machine must be built by an operation of 
the context class). 

We present in Fig. 5 a simplified fragment of the UML metamodel showing 
some of the constructs needed to define a class diagram. 

The concrete syntax of UML, which is in the official standard [37] called no- 
tation, correspond to give many different visual diagrams each one corresponding 
to a subset of a model. Notice that, however, the relationship between the ab- 
stract and the concrete syntax is quite weak; for example the class diagram 
does not appear as a metaclass in the abstract syntax but only in the notation, 
and a unique model element (collaboration) corresponds to two different visual 
diagrams: sequence diagram and collaboration diagram. 

UML aims to being the unified notations to model all the different aspects of 
a software system during the various development phases, and thus it offers an 
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Fig. 5. UML Metamodel Simplified Fragment Concerning Class Diagram. 



abundance of constructs originated in many different notations. Indeed, UML 
combines quite standard ways to present classes and associations, with more 
specific notations for the behavioural aspects (state machine, sequence diagram, 
collaboration diagram, activity diagram), with special notation for the use cases 
(use case diagram), with diagram for the physical/deployment view of the sys- 
tems, and with constructs to structure the models (packages). We have, as nicely 
said in [18], a “multitude of UML diagrams”. 

There is another aspect of UML that makes the treatment of its syntax 
problematic. Indeed, UML is not just a language to be used as it is in any 
case; instead to support its use in particular domains, or following particular 
development methods, or using particular applicative technologies UML offers 
already in itself mechanisms to define its own specializations (UML profiles). For 
example, 

— stereotypes allow to define variants of the existing constructs, 

— tagged values allow to add parts to existing constructs, 

— additional constraints allow define restrictions on the subset of the UML 
which may be used (e.g., no visible attributes are allowed). 

For what concerns the semantics (once called dynamic as opposed to static) 
of a UML model the situation is still worse. First of all the semantics is defined 
informally and in several points it is ambiguous, incomplete and even contra- 
dictory. Moreover, the existence of a variable semantics for some constructs is 
explicitly stated {semantic variation points); e.g., the policy for handling the 
event queues for the state machines is not fixed. Such feature allows to tune the 
notation to various possibly very different usages. 

Finally, the same construct may be used for different purposes, even at dif- 
ferent phases; for example, a state machine may describe the behaviour of an 
active or of a passive class, of an operation, of a use case, or of the whole system. 
In all these cases the semantics is slightly different. 
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4 Current Research Directions 

Because of the problems outlined in the preceding section, a considerable amount 
of work has been devoted recently to the consistency issues in the UML. In partic- 
ular, Engels et al. in a series of papers ([17-20]) have discussed the terminology, 
some technical and methodological aspects and references to other work. More- 
over, a special workshop has been organized within the <CUML» 2002 Conference 
devoted to “Consistency Problems in UML-based Software Development” (see 
[1]). An interesting discussion of the general issue of consistency in a more general 
setting than UML can be found in Derricik et al. [14]. 

As can be seen in the UML-related literature, usually the current terminology 
adopts a rather informal style, much different from the one used in the logical- 
algebraic field. Here too we use that style, to be contrasted later on, at least 
in part, with the one we propose on the basis of the analogy with the ADT 
viewpoint. 

First we have to mention two orthogonal classifications of consistency, namely 
“Horizontal versus Vertical” and “Syntactic versus Semantic” . 

Horizontal consistency, also named intra-consistency or intra-model consis- 
tency, is “related to consistency among diagrams within a given model” [1], typ- 
ically within a development phase. 

Vertical consistency, also named inter-consistency or inter-model consistency, 
is “concerning consistency between different models”, typically at different de- 
velopment phases [1]; the qualification “vertical” is referred to the process of 
refining models and requires the refined model be consistent with the one it 
refines [19]. 

Syntactic consistency “ensures that a specification conforms to the abstract 
syntax specified by the metamodel . . . this requires that the overall model be well- 
formed” [19]. 

Semantic consistency 

— “with respect to horizontal consistency, requires models of different view- 
points to be semantically compatible with regards to the aspects of the system 
which are described in the submodels” [18]. 

— “with respect to vertical consistency, semantic consistency requires that a 
refined model be semantically consistent with the one it refines” [18]. 

Finally and noteworthy, in [20] also evolution consistency is mentioned and ad- 
dressed, namely consistency between different versions of the same submodel. 

With reference to the aforementioned classification, let us briefly review some 
research directions. 

As for static consistency, there are various attempts, but still a lack of meth- 
ods for defining static semantics analogous/comparable to the methods centered 
around term structure and induction principles. As we have seen in the previous 
section, the static semantics is dealt with using metamodelling (class diagrams 
plus constraints). Thus the current work on static semantics is concerned with 
checking metamodelling constraints within a rule checking system, with vari- 
ous techniques. For example the xlinkit system, a generic tool for managing the 
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consistency of distributed documents in XML format, is used and expanded to 
check consistency of XML documents in XMI format (Finkelstein et al. [23]). 
In [36] Surrouille and Capiat propose a transformation of OCL constraints into 
operational rules handled within a knowledge system. Sometimes, as it is typical 
of a good amount of UML-related work, there is not a a clear cut between syntax 
and semantics; in this line among other things the NEPTUNE project (Bodeveix 
et al. [10]) on one side extends OCL (also with temporal operators) and then 
provides tools for checking well-formedness of OCL rules at the application level 
and also satisfaction of OCL constraints defined at the metalevel. 

As for semantic consistency, we can roughly distinguish three approaches. 

In the transformational approach all viewpoints are translated to a common 
underlying semantic framework and deal with consistency there. The common 
underlying semantic framework is provided by 

— an integration of Transition Systems, Algebraic Specifications and Transfor- 
mation Rules (Grosse-Rhode [22]); 

— Generalized Labelled Transition Systems (Reggio et al. [33], Bhaduri and 
Venkatesh [9]); 

— RDS (Reactive System Design Support) (Lano et al. [26]); 

— High Level Petri nets (Baresi and Pezze [7]); 

— Automata (Lilius [27]). 

A related approach provides a common semantic model, but to derive consis- 
tency checks in the original specification; this is the case of the work of Davies 
and Crichton ([13]) that derives sets of allowable traces in an object diagram 
via the CSP semantic model and of Jurjens ([25]) that proposes a refinement for 
UML diagrams from a common ASM semantic model. 

Another approach is by interpreting and testing; for example in [17] Engels 
et al. propose DMM, Dynamic Meta Modelling, a graphical version of SOS rules 
used to interpret UML models and to generate tests. 

A most important point stressed in particular by Engels et al. [19, 17] is the 
following principle: in cases such as UML-based development, it is mandatory to 
provide a methodological framework for dealing with consistency issues. Thus we 
need development methods dealing with consistency, typically by restricting the 
use of notation to be consistent; for example this is included in the work of the 
Autofocus group (TUM [35]) and of Huzar et al. [24]. At the end of this paper 
we will show how consistency is addressed from that methodological viewpoint 
in our own work [5,6]. In order to understand the complexity of the issue let 
us report the steps of a general frame for consistency management proposed by 
Engels at al. [19, 17] 

1. Identification of conceptual model, aspects, notation 

2. Identification of consistency problems 

3. Choice of a (common) semantic domain 

4. Partial mapping of aspects leading to consistency problems 

5. Specification of consistency conditions 

6. Location and analysis of potential inconsistencies. 
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sig 




General 

context F: Formula inv: F. holds. m-over = F.f-over 
context FM: FormalModel inv: FM. satisfies. f-over = FM. m-over 
context S: Signature inv: S. models. includesAII(S. formulae. holds) 
Well-Formedness Rules 

context BSP: BasicSpecification inv: BSP. prop. f-over = BSP. sig 
Semantics 

context SP: Specification inv: SP. sig. models. includesAII(SP.sem) 
context BSP: BasicSpecification inv: BSP.sem = BSP. prop. holds 

Fig. 6. Logical- Algebraic Specification Framework: Basic Specifications. 



5 The Logical-Algebraic Specification Case 

5.1 The Logical- Algebraic Framework 

The logical-algebraic framework may be presented in a very refined way using 
the categorical language and the concept of institution, see, e.g., [38, 3, 30]. Here, 
to make smoother the transition to UML and also to be understandable by the 
wider audience of UML specialists, we present it following the metamodelling 
style typical of the UML and the concept of specification method of [4] . Of course 
that means to remain at a more informal level and not to be concerned with more 
sophisticated issues, like the consistency with the change of signatures. In Fig. 6 
we summarize the essential structure with the comments below, and [exemplify 
them for the case of first-order specification of partial abstract data types, see 
[3]]. Notice below the different terminology from the one of the UML: the UML 
models roughly correspond to the specifications here; while the (formal) models 
here correspond to the basic semantic structures. 

— The Item are the specified elements [abstract data structures /types]. 

— The FormalModel are formal structures corresponding to the specified items 
[many-sorted partial algebras]. 

— The association rationale describes how the formal models give an abstract 
and precise representation of the specified items [it is easy to see how many- 
sorted algebras formally models data structure: carriers = sets of values, 
algebra functions = data operations and predicates]; see [4] for more signi- 
ficative examples of rationales. 
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— The formal models are classified by their static structure, that in the logical- 
algebraic case is usually defined by a Signature; in general a signature is a 
list of the constituent features of the formal models [many-sorted first-order 
signatures; in this case the constituent features are sorts, operations and 
predicates] . 

The association, whose association ends^ are m-over and models links the 
formal models with the signatures describing their structure [each many- 
sorted algebra is built over a many-sorted signature]. 

— A Formula is a description of a property of interest about the formal models. 
More precisely, a formula describes a property that is sensible only for the 
formal models having a given structure represented by a signature; thus each 
formula is built over a signature (the association with ends f-over and formu- 
lae links signatures with the formulae built over them) [first-order formulae 
over a many-sorted signature]. 

— The association, whose ends are holds and satisfies, defines when a formula 
holds on a formal model/a formal model satisfies a formula. Clearly, this 
relationship is sensible only when the linked formal models and formulae 
are built over the same signature, see the constraints in Fig. 6 [the usual 
interpretation of first-order formulae]. 

— A Specification is characterized by a signature (sig) and by a set of formal 
models, its semantics (sem); such models are all over the signature of the 
specification (constraint SP. sig. models. includesAII(SP. sem)). 

— A BasicSpecification is a specification that consists exactly of a signature 
and of a set of formulae over it, and determines the set of formal models 
satisfying all such formulae, constraint BSP. sem = BSP. prop. holds. The well- 
formedness constraint BSP. prop. f-over = BSP. sig requires that the formulae 
of a basic specification are built over its signature. 

Typically, an algebraic specification language offers together with construct 
to present basic specifications several ways to structure complex specifications, 
each one given by a combinator which builds new specifications from existing 
ones. The most common combinators are 

— sum or union (“SPl -F SP2” is the specification having all the constituent 
features and all the properties of SPl and of SP2); 

— reveal ( “reveal SIG in SP” is the specification SP where only the constituent 
features present in the signature SIG are made visible/revealed); 

— rename ( “rename SP by ISOMORPH” is the specification SP where its con- 
stituent features, sorts, operations and predicates, are renamed as described 
by the signature isomorphism ISOMORPH). 

In Fig. 7 we give a fragment of the extension of the class diagram of Fig. 6 to 
include structured specifications. 

® In the UML it is possibly to name differently the two ends of an association, each 
association end will be used to navigate in the direction towards the class to which 
it is placed near. 
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General 

context SP: Reveal inv: SP.sig= SP. visible 



Well-Formedness Rules 

context SP: Reveal inv: SP. visible. isSub(SP.S.sig) 



Semantics 

context SP: Reveal inv: SP.sem= SP.S.sem.restrict(SP. visible) 



Fig. 7 . Logical-Algebraic Specification Framework: Structured Specifications Frag- 
ment. 



5.2 Consistency in Logical- Algebraic Specifications 

In the logical-algebraic setting the consistency problems are defined along the 
following lines, where we use some current terminology found in the literature 
about UML. 

First of all we define the so-called syntactic consistency that is called in the 
formal methods/programming language community syntactic/static correctness 
or static semantics. 

— A basic logical-algebraic specification is syntactically consistent whenever it 
consists of a set of well-formed formulae over its signature, determine by the 
association f-over of Fig. 6 (see the constraint BSP. prop. f-over = BSP.sig in 
the same figure). 

Usually in the algebraic setting the syntactically consistent basic specifica- 
tions are defined in an inductive/constructive way, that is by defining directly 
by induction the set of all the correct formulae over a signature, and of all the 
correct (basic) specifications, instead of qualifying which elements in a larger set 
correspond to correct formulae, see, e.g., [38,8] for inductive definition of first- 
order formulae. The syntactic consistency of structured specifications is handled 
in a similar way; here by means of some constraints on a class diagram, see, e.g.. 
Fig. 7 for an example of such well-formedness rules; whereas in the algebraic 
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implemented 




Semantics 

context SP: Specification inv: SP.sem.includesAII(SP. alpha. apply(SP. implemented). sem) 



Fig. 8. Logical- Algebraic Specification Framework: Implementation. 



setting again the correct structured specifications are defined in an inductive/ 
constructive way [8]. 

For the semantic consistency, also in the logical-algebraic world we have 
the distinction between consistency of one specification (or intra-specification 
consistency) and vertical consistency (or inter-specifications consistency) of one 
specification w.r.t. another one. 

— A logical-algebraic specification SP is (horizontally) semantically consistent 
(standard terminology consistent) iff its semantics, defined by the association 
sem of Fig. 6, is not empty (SP.sem <> {}). 

Horizontal semantic inconsistencies in the logical-algebraic case are due to 
the fact that a specification includes some formula that implies the negation of 
another of its formulae (including the case of a formula that implies its negation) . 

Notice that a semantically consistent specification is not always a sensible 
specification of some data structure. Consider, for example, the case of a spec- 
ification whose all models are isomorphic to the trivial algebra (the one whose 
carries have exactly one element and the interpretation of operations and predi- 
cates is the obvious one); this is consistent, but in most of the cases it is not what 
the specifier intended. In the case of partial algebras, you can have also speci- 
fications where the unique model is the algebra whose carriers are empty sets. 
Unfortunately, it is not possible to define in general this kind of specifications, 
they depend on the particular setting, and cannot fully banned (sometimes they 
are really wanted, e.g., the specification of a token requires a unique sort with just 
one element). However, from the methodological point of view, it may be useful 
to define the class of such specifications, which we name pseudo-inconsistent, 
and perhaps to introduce techniques to detect them. 

The problem of vertical consistency, concerning two algebraic specifications, 
one implementing the other, is handled in a very careful way. In this setting, 
we speak of vertical consistency relative to a given relationship between the 
structures of the two specifications due to Sannella and Wirsing (see [38]), given 
as a function mapping specifications into specifications. We summarize in Fig. 8 
this notion of implementation, as a ternary association, where the end alpha 
shows the way a specification is implemented by the other one. 

The presence of a semantics (association sem) allows to precisely define the 
notion of vertical consistency by the constraint in Fig. 8 stating that 
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“if SP is implemented by SPl, then the semantics of SP (a class of formal 
models) includes the semantics (another class of formal models) of a(SPl)” 

When the specification function is a composition of a renaming, an extension 
with derived operations and predicates, a reveal and an extension with axioms, 
we have the so called implementation by rename-extend-restrict-identify of [15, 
16]; which corresponds, within the framework of abstract data types, to the 
Hoare’s idea of implementation of concrete data types. 

6 The UML Framework 

Here we try to provide a framework for the UML corresponding to the previous 
one for algebraic specifications. After some preliminary considerations we give 
a schematic view of the possible correspondence. Our presentation is sketchy 
in the sense that we concentrate on the basic underlying ideas; indeed a too 
detailed treatment here would be senseless, since the UML is evolving; the version 
considered here 1.3 [37]^ will be replaced by a rather different one, UML 2.0. 

Here we consider UML at the level of the abstract syntax, which is as it 
is presented by the metamodel in the Semantic chapter of the official standard 
[37]; reference to the corresponding visual diagrams (as presented in the Notation 
chapter of [37]) will be added to help relate what we present with the current 
view of UML. 

Recall that in the following we use the terminology of Sect. 5.1, along the 
schema of Fig. 6. 

The UML constructs to structure models (specifications) is the package, thus 
UML models without packages (and their variants as subsystems) may be con- 
sidered as basic specifications, following the terminology of the previous section. 

In this section we will explore the analogy with the algebraic specifications 
and argue that the role of basic specifications can be played in the UML by the 
notion of UML basic model. 

UML Item. UML models are meant to describe real-world systems, as software 
systems, information systems, business organizations; and thus these are the 
elements of Item. 



UML Signature. In the UML, neither in the metamodel, nor in the associated 
notation, there is an obvious construct that may play the role of the signature 
in the algebraic specification case. However, if we look carefully at the various 
(model) elements building a UML model we may discover that many of such 
model elements just state which entities will be used in the UML model to 
describe the system (giving their name and their kind/type), for example classes, 
operations and attributes. We call structural such model elements. 

Now, a UML model made only of structural model elements may be consid- 
ered a kind of signature, since it defines the structure of the modelled system; 
such models will be called signature diagrams. 

To be precise the last version is UML 1.5, but there are no big differences with 1.3. 



4 
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— A structural model element may be 

* a classifier of the following kinds: class (distinguished in active and pas- 
sive), datatype, interface, use case, actor and signal; clearly it will be 
equipped with its own particular features (e.g., attributes, operations 
and signal receptions for classes) , but without any form of semantic con- 
straints (e.g., the isQuery annotation for an operation, or the specification 
part for a signal reception) ; 

* an association, but without any semantic attribute (e.g., multiplicity and 
changeability)®; 

* a generalization relationship, but without any predefined constraint (only 
the subtype aspect matters at the structural level). 

— A signature diagram is a UML model built only of structural model elements 
satisfying some well-formed constraints, as 

* all classes have different names, 

* all attributes of a class have different names, 

* all operations of a class have different names, 

* the type of an attribute is either an OCL type, or the name of a class 
appearing in the diagram, 

* 



Here for simplicity we have expressed the well-formedness constraints on signa- 
ture diagrams by using the natural language, but they may be expressed precisely 
as OCL formulae. 

We report in Fig. 9 the signature diagram for our running example of UML 
model of Sect. 2. To help make clear the difference with the class diagram of 
Fig. 1 we have shadowed the parts not belonging to the signature diagram. 

Notice that our signature diagram may be visualized as a particular class di- 
agram, and that any development method based on the UML requires to provide 
at least a static view of the modelled system, which is a class diagram. Thus our 
proposal is not peculiar, but it just makes explicit the underlying splitting be- 
tween the static/structural part of a UML model and the dynamic/behavioural/ 
semantic part. 

It is possible to define our signature diagrams in a very precise way at the 
metamodel level; we just need to introduce a new metaclass corresponding to 
the signature diagrams, to slightly modify the metaclasses corresponding to the 
structural model elements (e.g., by dropping the multiplicity from the associa- 
tions) and to redefine the metaclass corresponding to a complete model (now it is 
an aggregate of one signature diagram and of several semantic model elements) . 

® We do not include aggregation/composition in the signature diagrams, because es- 
sentially they are just a normal associations plus some constraints concerning the 
creation/termination of the aggregated/composed objects and those of their sub- 
parts. 
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Fig. 9. The signature diagram of the example UML model. 



UML FormalModel. There is not a standard choice for the formal models 
for the UML, because no official formal semantics is available. Many, mostly 
partial, proposals may be found in the literature; the important point is that 
the chosen formal models should be structures able to accommodate all the 
aspects supported by the UML models. 

Just for having one at hand to be used as reference for explanatory purposes, 
we mention our proposal of [32, 33], where we advocated, according to a line of 
work developed within the CoFI initiative [30], the use of what we call UML- 
formal systems. They are sufficiently general to be used also for UML 2.0 we 
believe. 

— A generalized labelled transition system is a Tuple 

{STATE, LABEL, INFO, -^), 
where STATE, LABEL and LNFO are sets and 

INFO X STATE x LABEL x STATE. 

A transition {i, s, I, s') G— >■, represented as i : s — ^ s', describes a possibil- 
ity/capability of the modelled system to pass from a situation represented by 
s into another one represented by s' , where I describes the interaction with 
the external world during such transition, and i some additional information 
on the transition (e.g., moves of the subcomponents). 

— The UML-formal systems are a particular class of generalized labelled tran- 
sition system (see [33]). 
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We have then to match each signature diagram with the corresponding UML- 
formal systems. This can be done quite simply, because the UML-formal systems 
of [33] include a description of the static structure of the UML model to which 
they give semantics. For example, they define the names available in such model 
and classify them in class names, attribute names, operation names and so on. 



UML Formula. Surprisingly or not, the UML constructs playing the role of 
formulae in our setting will be particular model elements (the non-structural 
ones) that state properties of the entities used in the modelled system. We 
name them semantic model elements, and list them below. 

constraints including the implicit ones (i.e., those embedded in the definition of 
structural model elements, as association multiplicities and signal reception 
specifications); 

methods in the UML official standard [37] they are considered as class features, 
but they just define the semantics of operations; thus they have no structural 
effect, but restrict the formal models to those where the interpretation of 
some operation matches the one described by the method itself; 
state machines visually presented as statecharts, they fix the behaviour of the 
instances of classes, or of an operation, or of a use case; thus they restrict 
the formal models to those where the behaviour of such elements is the one 
described by the state machine. 

collaborations visually presented as sequence or collaboration diagrams, im- 
pose restrictions on the possible interactions (exchange of messages, i.e., 
operation calling) among some objects used to model a system, and so they 
constrain the behavior of such objects. 

activity graphs visually presented as activity diagrams, impose restrictions on 
the causal relationships among facts happening in the associated entity (an 
operation, the whole system, a part of the system, a use case, . . . ) and so 
they constrain the behavior of the mentioned entities. 

Then, we need to define when a semantic model element is built (well-formed) 
over a signature diagram (association f-over of Fig. 6). 

As we have pointed out repeatedly considering the current status of the UML, 
it is not worthwhile to present here in detail the well-formedness conditions for all 
constructs. Still it is worthwhile to illustrate that kind of statement w.r.t. some 
basic points and significant examples. Thus we single out the well-formedness of 
a state machine, as a paradigmatic case of UML semantic model element. 

A state machine SM is well-formed over a signature diagram SD iff it fulfills 
the following rules 

— Well-Formedness Rules from UML official specification (not depending on 
SD); e.g., “A final state cannot have any outgoing transitions.” 

— Well-Formedness Rules depending on SD, mainly about elements of the SM 
containing expressions/ actions; e.g., for each transition of SM 

* the (OCL) expression of the guard is well-formed w.r.t. SD, the context 
class and the parameter list of the event, and has type Bool; 
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* the event is well-formed w.r.t. SD and the context class, which depends 
on the kind of event: 

call event the operation is an operation of the context class, 
change event the (OCL) expression is well-formed w.r.t. SD and the 
context class, and has type Bool; 

* the action of the effect is well-formed w.r.t. SD, the context class and 
the parameter list of the event. 

Notice that to check whether an OCL expression or an action is well-formed 
w.r.t. SD, a class and a possibly empty list of typed free variables, and to find 
the type of a correct expression are the basic ingredients to define not only when 
a state machine is well-formed, but also for the other semantic model element. 

We want to point out that it is not advisable to follow the inductive/con- 
structive style of the algebraic specifications to define the well-formed UML 
models. The reason is that UML is a visual notation whose constructs are in 
large part variants of graphs, and thus they cannot be naturally defined by 
means of combinators/constructors, which just support tree-like structuring®. 

For what concerns the association holds/satisfies, [33] defines when a UML- 
formal system is in agreement with an OCL constraint and a state machine. 
We have made also some feasibility studies for what concerns collaborations and 
activity graphs, whose results confirm that it is possible to define when a UML 
formal system is in accord with one of these UML constructs. 

The formulae in our running UML model are obviously the diagrams of Fig. 3 
and 4, the methods of Fig. 2, the explicit constraints in Fig. 1 and the implicit 
ones in the class diagram in the same figure (as the association multiplicity) . 



UML BasicModel. The basic specifications in the UML framework are the 
UML models without packages, which we name UML basic model; indeed, the 
package is the basic and unique UML construct to structure a model. A UML 
basic model may be rearranged to explicitly present a signature diagram and a 
set of semantic model elements. The semantics of a UML basic model (association 
sem) is, then, defined as for the algebraic specifications, that is the set of the 
UML formal systems over its signature diagram that satisfies all its semantic 
model elements. 

Notice that a UML model without packages defined following the UML meta- 
model of [37] may be automatically transformed into the corresponding basic 
model, as already hinted before. 

A structured UML model should be a UML model containing various pack- 
ages related by many possible qualified associations, as import, access, and spe- 
cialize. A careful investigation of the package construct is needed, to determine 

® This aspect is common to any visual notation, not just to the UML. We followed 
the standard constructive style when presenting JTN [12] a Java targeted visual 
notation, but at the expense of quite hard labour and of very long and complex 
definitions. 
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which are precisely the underlying structuring mechanisms. Moreover, the actual 
package concept has been the subject of many criticisms, and new way to intend 
them has been proposed to be introduced in the forthcoming UML 2.0, see, e.g., 
[11]. For these reasons we have postponed the treatment of the UML structured 
models. 

7 Dealing with Consistency in the UML Framework 

7.1 Defining Consistency 

Using the various ingredients of the UML framework defined in Sect. 6 we can 
now define the various kinds of consistency in the same way as for the logical- 
algebraic case of Sect. 5. 

In the algebraic case we have that a basic specification is syntactically consis- 
tent (statically correct) whenever its signature is well-formed and all its formulae 
are well-formed over such signature. 

For the UML case we can state 

— A UML basic model UBM, essentially a pair {SD, {SMEi , . . . , SME^.}) with 
ED signature diagram and for i = 1, . . . ,k, SMEi semantic model element, is 
syntactically consistent {well-formed / statically correct) iff ED is well-formed 
and for i = 1, . . . ,k SMEi is well-formed over UU (defined by the association 
f-over, see Sect. 6). 

Notice that in this way we do not need to define for all kinds of semantic 
model elements when they are pairwise syntactically consistent, just as in the 
logical-algebraic framework, we never had to define which pair of logical for- 
mulae are mutually syntactically consistent. Thus the technique that we have 
proposed is quite modular/scalable; indeed our definition of syntactic consis- 
tency can easily extended whenever the UML is extended; for each extension 
you have just to enlarge/restrict the set of the structural elements and of the 
semantic model elements, and if new kind of elements are added, just define the 
new well-formedness conditions w.r.t. the signature diagram. 

The horizontal semantic consistency of the UML basic models is defined as 
in the algebraic case. 

— A UML basic model UBM is semantically consistent iff its semantics, a set 
of UML-formal systems, is not empty {UBM. sem <> {}). 

Notice that this definition, obviously, requires to have at hand a UML formal, 
or at least quite precise, semantics. 

We have thus given the general precise definition, but now we have to analyse 
the UML models to look for the possible causes of semantic inconsistency. In the 
algebraic case the only causes for inconsistency are the presence in the specifica- 
tion either of an unsatisfiable formula or of two mutually contradictory formulae, 
although to check it in the general case is an undecidable problem. Instead, we 
find that in a UML model there are many different causes of inconsistency and 
of very different nature. Here, we list some of the most relevant ones: 
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— a pre/postcondition is in contradiction with a method definition for the same 
operation; 

— a pre/postcondition is in contradiction with an activity graph associated 
with the same operation; 

— a pre/postcondition is in contradiction with a state machine associated with 
the same operation; 

— a precondition on an operation is in contradiction with a state machine or 
an activity graph including a call of such operation; 

— an invariant constraint is in contradiction with a state machine for the same 
class; 

— a collaboration including a role for class C is in contradiction with a state 
machine for class C. 



Notice, that several cases are quite subtle depending on which is the chosen 
semantics for the UML constructs; for example, it is quite hard to decide when 
two collaborations including a role for a class C are contradictory. If we assume 
that the semantics of a collaboration is to present a possible execution/life cycle/ 
... of the modelled system, then two collaborations will never be in contradiction. 

The semantics of the UML plays a fundamental role to discover the possible 
kinds of inconsistency. Moreover, such semantics should also help express in a 
precise (also if not formal way) the reason for the possible inconsistencies. 

Quite surprisingly, the actual semantics of pre/postconditions does not pro- 
duce inconsistent models, but just pseudo-inconsistent ones (see Sect. 5.2). Recall 
that the semantics of the pre/postconditions associated with an operation of [37] 
is precisely intended as follows^: 

“postcondition: a constraint that must he true at the completion of an oper- 
ation. ” 

“precondition: a constraint that must be true when an operation is invoked. ” 
Thus, with this semantics a pre/postcondition does not constrain the associated 
operation, but just its usage; for example, an operation that will be never called 
satisfies any pre/postcondition. 

Some cases of pseudo-inconsistencies are: 

— an unsatisfiable invariant constraint on class C (it holds on trivial UML- 
formal systems where there are no instances of class C); 

— two invariant constraints are contradictory (as before); 

— two preconditions (postconditions) for an operation are contradictory (it 
holds on trivial UML-formal systems where the operation will be never 
called); 



For what concerns the vertical semantic consistency between two UML mod- 
els we think that the approach chosen in the logical-algebraic framework could 

^ Notice that UML pre/postconditions are quite different from the Hoare’s one (a 
postcondition is not related with any precondition). 
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be sensible also in this case. The problem, is that we have to define the UML 
correspondent of a specification function and to visually represent it, that is 
a convenient way to define transformations over UML models. Unfortunately, 
there is no a standard accepted proposal, but this is a hot topic in the UML 
community, also because of its importance within the MDA approach (Model 
Driven Architecture) [29]. 

7.2 Checking Semantic Consistency 

The list of all possible causes for semantic inconsistencies in a basic UML model 
seems to be very long, and a very careful analysis is needed to complete it 
(see Sect. 7.1). Furthermore, each kind of inconsistency poses a different kind of 
technical problems, from classical satisfaction problems in the first-order logic or 
in the Hoare logic, to check whether a sequence is a possible path in a transition 
tree, or if a transition tree is in agreement with a partial order. As a consequence, 
a method for helping detect all possible inconsistencies is not feasible. Moreover, 
the semantics inconsistencies are based on the UML semantics that may change, 
e.g., in semantics variation point, or because we are using a UML profile for a 
particular development method, or for a particular phase of the development, or 
for a particular application domain. On the other side, a development method 
based on the UML in general uses only models having a particular form (for 
example, some construct can be never used, or used only in a particular context, 
or used only in particular form, e.g., state machines only associated with active 
classes). 

Thus, to survive with (horizontal) semantic inconsistencies we propose to de- 
sign development methods based on the UML with the following characteristics. 

• First of all, the method should require to produce UML models with a pre- 
cise syntactic structure. Such structure must also guarantee the syntactical 
consistency of those models. 

For example, the method may require that 

* for each operation of a class there is either a pre/postcondition or a 
method definition, but not both; 

* a use case is complemented by a set of sequence diagrams, and that any 
of them represents an alternative scenario; 

* at most one invariant is associated with each class and at most one pre/ 
postcondition is associated with an operation. 

The problem of checking whether a model has the required syntactic form 
should be computable, and thus it should be possible to develop tools to 
perform such check; for example, tools for evaluating OCL formulae or tools 
based on XML technologies, or for evaluating conditional rules. 

• The intended (formal) semantics of the UML models produced following the 
method should be defined. 

• The UML models having the particular form required by the method and 
the chosen semantics should be analysed w.r.t. consistency. 

Thus, it should be possible to factorize the checking of the consistency into 
a precise list of subproblems. If the possible causes of inconsistency are too 
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many or too subtle, perhaps the method needs to be revised, by making more 
stringent the structure of the produced models, or perhaps the troubles are 
due to the chosen semantics. 

• For each inconsistency subproblem detected in the previous activity, 

* it should be described rigorously for the developers in terms of UML 
constructs without formalities [if you know it, then you can avoid it]. 

* guidelines helping detect its occurrences should be developed, using the 
available techniques, such as automatic tools, inspection techniques, 
check lists, sufficient static conditions, .... 

As an experiment, we have applied the approach proposed in this subsection 
to analyse a method for requirement specification based on UML, first introduced 
in [5], and presented in a more detailed way in [6]. Such method requires that 
the UML models presenting the requirements to have a precise form, and to 
be, obviously, statically consistent. The proposed approach seems to be quite 
effective in this case; indeed, the possible causes of semantical inconsistencies 
have been found explicitly, and they are not too many, because such method 
requires to produce UML models having a very tight structure, and makes precise 
the semantics of any used constructs. For what concerns the support to detect 
the various possible inconsistencies we are extending the tool ArgoUML®. with 
many new critiques, each one signalling either an inconsistency (for example, 
those concerning the static aspects) or a possible cause of inconsistency (e.g., a 
postcondition for an operation of a class with an invariant on the same class) 
with an explanation of the reason. One of the most problematic point, concerning 
semantic consistency, is to check whether a state machine is in contradiction with 
a sequence diagram; to help this check we are trying to use a prototyping tool 
[28]. 

The above experiment shown the fundamental importance of defining a pre- 
cise explicit semantics of the used UML constructs. For example, in the method 
a state machine is used to define the behaviour of each use case, but its semantics 
is different from the original one. Indeed, following the new semantics a state 
machine describes A SET of the possible lives of the instances of the context 
class, whereas the original semantics states that a state machines describe ALL 
such lives. Thus, two state machines with the new semantics can never be in 
contradiction. 

8 Conclusions 

Consistency is a really big problem in practical software development, where 
scale, heterogeneity and methods do matter. The case of UML-based software 
development is a good example of the issues that may arise. 

Here, contrary to the vast majority of the current literature on the subject, 
we have taken an unorthodox approach, starting from the experience we have 
gained in many years of involvement with the logical-algebraic techniques. As 
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an exploratory experiment, we have presented the problem and then tried to 
propose a framework for handling the consistency problems of the UML inspired 
by the framework of the logical-algebraic specifications. Admittedly at first sight 
the proposal may look naive; perhaps most people will be surprised by seeing a 
state machine playing the role of a formula; and indeed one may wonder what 
can be the benefit of that analogy. But, if we exploit that analogy to build a UML 
framework for consistency, then we can forget the terminology (formulae, formal 
models, signatures, etc.) and handle the consistency issues knowing exactly what 
should be done and thus also what we are not able to do; for example, because 
we do not have at hand a precise semantics. In particular we have a setting 
where to locate, with merits and limits, the proposed approaches. 

Our analysis is preliminary and incomplete, especially for what concern ver- 
tical consistency. Still, we believe that it shows the feasibility of the following, 
even for the new UML versions to come: 

— a precise and sensible way to define the various kinds of inconsistencies 
(static, semantic intra-model, semantic inter- models); 

-- a workable method for detecting the static inconsistency (in other communi- 
ties just known under the name of static correctness), that is quite modular 
and scalable; 

— a possible methodological approach to cope with semantic intra-model in- 
consistency, especially with approaches that are, in our own terminology, 
“well-founded” and use “tight structuring” . 

As aside remarks, we believe that some ADT concepts and frames are still 
useful to provide clarification and practical guidance; but also new problems are 
appearing, such as the syntax presentation of visual multiview notations, the 
aspect currently handled in the UML by metamodelling. 

As already pointed out before, there are two aspects not treated at all in our 
analysis, namely structuring and vertical consistency. For the first it seems more 
sensible to wait for a new version of the UML. As for the second, a link has 
to be established with the so-called MDA, Model Driven Architecture approach 
[29] proposed by OMG to developing software, where the relevant relationships 
between different UML models will be singled out; for example, those from the 
so called Platform Independent Models and the corresponding Platform Specific 
Models. 
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Abstract. The aim of the MMiSS project is the construction of a multi- 
media Internet-based adaptive educational system. Its content will ini- 
tially cover a curriculum in the area of Safe and Secure Systems. Tra- 
ditional teaching materials (slides, handouts, annotated course material, 
assignments, and so on) are to be converted into a new hypermedia 
format, integrated with tool interactions for formally developing cor- 
rect software; they will be suitable for learning on campus and distance 
learning, as well as interactive, supervised, or co-operative self-study. 
To ensure “sustainable development”, i.e. continuous long-term usabil- 
ity of the contents, coherence and consistency are especially emphasised, 
through extensive semantic linking of teaching elements and a particular 
version and configuration management, based on experience in formal 
software development and associated support tools. 



1 Introduction and Overview 

In the last few years the area of safe and secure systems has become more and 
more important. Software is increasingly used to control safety-critical embed- 
ded systems, in aeroplanes, spaceships, trains and cars. Albeit its associated 
security risks, electronic commerce over the internet is rapidly expanding. This 
requires a better training of computer scientists in the foundations and prac- 
tical application of formal methods used to develop these systems. The aim of 
the MMiSS-project {MultiMedia instruction in Safe and Secure Systems) is to 
set up a multimedia internet-based adaptive educational system, covering the 
area of Safe and Secure Systems. With a consistent integration of hypermedia 
course materials and formal programming tools, teaching in this area will at- 
tain a level hitherto impossible in this form. The system will be as suitable for 
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learning on campus and for distance-learning with its associated management of 
assignments, as it is for interactive, supervised, or co-operative self-study. 

At the core of the system is the hypermedial adaptation of a series of courses 
or lectures on the development of reliable systems. The teachers should be able 
to store various sorts of course material, such as overhead slides, annotations, 
lecture notes, exercises, animations, bibliographies, and so on, and retrieve them 
again for use in teaching, notably also re-using material of other authors. The 
system provides a formal framework for the integration of teaching materials 
based on a semantic structure (ontology) and enables fast directed access to 
individual teaching elements. 

An initial collection of courses is already available and should be further 
hypermedially developed as part of the project in an Open Source Forum (cf. 
Sect. 8). It covers the use of formal methods in the development of (provably) 
correct software. Highlights include data modelling using algebraic specifica- 
tions; modelling of distributed reactive systems; handling of real-time with dis- 
crete events; and the development of hybrid systems with continuous technical 
processes, so-called safety-critical systems. The curriculum also covers informal 
aspects of modelling, and introduces into the management of complex develop- 
ments and into the basics of security. 

The teaching material should, where possible, be available in several different 
variants. It should be left to the teachers, or the students, to choose between 
variants, according to the educational or application context. For example reac- 
tive systems could be modelled with either process algebras or Petri-nets; the 
material could be available in English or other natural languages. The system 
also contains meta-data, representing ontological, methodological and pedagog- 
ical knowledge about the contents. 

An important educational aspect is to teach about the possibilities and limits 
of formal tools. Tools for formal software development should be integrated in 
the system, to illustrate and intensify the contents to be taught. Thus students 
doing assignments can use the system to test their own solutions, while gathering 
experience with non-trivial formal tools. The integration of didactic aspects with 
formal methods constitutes a new quality of teaching. It will become possible 
both to present a variety of formal tools as a subject for teaching, and to use 
them as a new medium. Thus an algorithm can for instance be simultaneously 
developed, presented, and verified. 

The goal of applying the MMiSS-system in as many universities and com- 
panies as possible, and the fact that the area of Safe and Secure Systems will 
further evolve in the future, requires the highest level of flexibility, extensibility 
and reusability of the content. It should be possible to incrementally extend or 
adapt content and meta-data, to suit the teacher’s individual requirements, and 
to keep them up-to-date. We expect the system to be easily adapted and well 
usable in other subject domains. 

As the individual parts of a curriculum rely on each other, there is a network 
of semantic dependencies that the system should be able to administer; at the 
least it has to offer a version- and configuration management. Additionally, an 
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ontology allows a better support for orientation and navigation within the con- 
tent. It forms the basis for adaptation to the user, for example by learning from 
exercises which concepts the students have understood, and by adapting future 
assignments accordingly. 

The formalisation of semantic dependencies means that the system can help 
to maintain the consistency (and completeness) of the content. Definitions must 
be coordinated to suit each other; the removal or adaptation of some material 
may force the removal or adaptation of all dependent concepts. In formal soft- 
ware development, a similar problem has to be solved: there are also semantic 
dependencies between different parts of a development, for example between 
specification and implementation. Some of the project partners have already de- 
veloped techniques for the administration of such dependencies as things change, 
and implemented them in development tools. Here we perceive an important 
synergy between expertise in formal software development - and support tools - 
and the demands of long-term sustainable development for re-use of consistent 
multimedia materials in an efficient and productive educational system. 

Outline. Although the MMISS project is concerned with the development of a 
multi-media based eduction system for safe and secure systems, the techniques 
and tools developed in this project are not restricted to this particular area. In 
this sense we start with a description of general concepts to structure documents 
according to their semantics in Sect. 2 and briefly sketch an extension of DTeX, 
called MMiSSIATeX, that allows the specification of these additional structuring 
concepts. Sect. 3 describes the particular ontology used to structure the contents 
in this particular problem domain. Sect. 4 illustrates the tool support of MMISS 
to create or maintain such course material. MMISS provides various authoring 
tools to transfer LaTeX or Powerpoint based course material, enriched with 
additional semantic information, into the MMISS-Repository which maintains 
versions, configurations and the (user-defined) consistency of the material. Sect. 7 
focusses on the presentation of the teaching material stored in the Repository. 
MMiSS supports two presentation mechanisms, one simply using the layout 
information as it is encoded in input documents written in MMiSS and the 
ActiveMath environment that dynamically generates the presentations according 
to the skills and needs of the user. We conclude this presentation in Sect. 8 with 
a prelimary evaluation of teaching experiences using the MMiSS tools and with 
a view towards future developments. 

2 Structuring Mechanisms for Documents 

MMiSS aims at the support of the creation, the maintenance and the presenta- 
tion of education material dedicated to various courses or lectures in a domain. 
As an author, one has to be aware of the various (mainly semantically ori- 
ented) structuring mechanisms hidden in these documents. Writing, for instance, 
a mathematical document in DfhilX, there is an explicit syntactical structure of 
the document triggered by DTj;]X commands such as section, paragraph, etc. 




MultiMedia Instruction in Safe and Secure Systems 



85 



Additionally, there are other more semantically oriented structuring mechanisms. 
Defining mathematical entities, we are likely to build up a hierarchy of defini- 
tions. In a conventional document, we do not represent these relations 

explicitly. However, we have to keep them in mind once we want to change doc- 
uments in a consistent way. The overall design of MMiSS aims at an explicit 
representation of such relations, e.g. 

— to navigate in the material along the semantical relations: during class, as a 
teacher; after class or during self-study, as a student; 

— to support maintenance and update of course material. 



2.1 An Ontology of Users 

Ontologies provide the means for establishing a semantic structure. An ontology 
is a formal explicit description of concepts in a domain of discourse. Ontologies 
are becoming increasingly important because they provide also the critical se- 
mantic foundations for many rapidly expanding technologies such as software 
agents, e-commerce and knowledge management. Ontologies consist of concepts 
and relations between these concepts. Properties of a concept are specified by 
describing its various features and attributes. As instantiation we use a subset of 
the modeling language UML which is an actual de facto standard language for 
software development. As an ontology describes domain concepts abstractly by 
means of classes, subclasses and slots, UML seems to be particularly well-suited 
for the diagrammatic representation of the ontology [5]. 

Before we explore the variety of MMiSS Document Constructs for structuring 
in the sequel, let us consider a little example of an ontology in Fig. 1; for a more 
extensive treatment of the ontology subject see Sect. 2.6 and Sect. 3 below. 

The example shows an ontology of potential Users of MMiSS and their Roles, 
resp. A Professor, as an Academic User, may assume the Role of a Teacher, thereby 
only having reading access to the material, or of an Author with a particular 
kind of writing access. This ontology is of course much simplified (there are also 
Developer and Administrator Roles, etc.). As notation we use a subset of UML 
class and object diagrams. It shows, however, the general principles: 

— a taxonomic hierarchy of classes (the fat arrow with a triangular head de- 
notes the “subclassOf” relation), e.g. a Professor is an Academic User, inher- 
iting all its properties, 

— individuals (“o&jecfs”) of these classes (not shown here, but cf. _deAttribute_ 
in Fig. 3 as an object of class LanguageAttribute, distinguished in the notation 
by underlining or leading and trailing underscores), and 

— a (hierarchy of) relations (called associations in UML), declared between the 
classes and applied to objects, e.g. User assumesRole Role. Note that relations 
are inherited by the classes involved, e.g. Professor assumesRole Teacher. 

We will use this notation to define and illustrate (parts of) the MMiSS ontology 
in the sequel. As an experiment in formatting, classes, objects and relations 
relating to the ontology used in this paper are highlighted by special fonts when 
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referred to in the text (as in ontology), and classes and objects pertaining to the 
MMiSS ontology are capitalised (as in LanguageAttribute). 

2.2 Document Structure 

Structural Entities. The primary purpose of structuring documents is con- 
ceptual. We are used to textually nesting paragraphs in sections, and sections in 
other sections, possibly classified into (sub)subsections, chapters, parts of docu- 
ments or the like. The same is true here, cf. Fig. 2 that shows part of the ontology 
of MMiSS Structural Entities: Sections may be nested; they are not classified as 
chapters or the like to ease re-structuring without the need for renaming (section 
numbering etc. is, if desired, done automatically anyway during layout; the title 
of a Section will appear in a table of contents). A Section may contain smaller 
nested entities such as Units or Atoms, see below. 

The largest Structural Entity is a Package. A Package is a document that cor- 
responds to a whole course or book and contains all Structural Entities pertaining 
to it. A Package contains a Prelude that contains a kind of “global declarations” 
for it, e.g. a BibliographyPrelude, or an ImportPrelude for other Packages (“struc- 
turing in-the-large”), see Sect. 2.3. 

Ontology Prelude. In particular, it may contain an OntologyPrelude, where 
the elements of an ontology may be declared (cf. Sect. 2.6) — it acts like a 
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Fig. 2. (Partial) Ontology of Structural Entities. 



signature of the Package for semantic interrelation, promising these elements to 
be defined in this Package, such that they become available when imported by 
another. 

Sections, Units and Atoms. Each Section should contain three special sub- 
Sections or Units: The Abstract contains an overview of the Section; the Introduc- 
tion gives a motivation for the content to come and sets a didactic goal (“what 
we are about to learn”); the Summary at the end recalls the highlights of the 
content (“what we have learned”). Note that there are no explicit “transition” 
Paragraphs between Sections since they would assume a given order; instead, the 
Introduction should refer to the upper context (“what we already know”), if nec- 
essary, and the Summary should provide forward references to the lower context 
(“what we will learn more about”) in subsequent Sections. 

A Section may contain Units, and Units may contain other Units or Atoms. 
A Unit is an entity one would like to be able to keep together and eventually 
present as a whole as far as possible, i.e. on a single slide in a lecture (or a single 
page in a book), possibly with a continuation slide with the same title. The 
Unit is the primary structuring facility; it is the minimal context for editing and 


















B. Krieg-Briickner et al. 



the primary unit of change (corresponding to a node in the structure graph, see 
change management in Sect. 6.3). 

As we see in Fig. 2, a ClosedUnit may be used to classify the enclosed content 
to be of a particular kind, e.g. a whole Theory in a particular Formalism such as 
Casl. a Compositeilnit may have further internal structure, for example a List, 
a Table, a structured Proof, or an Example. 

An Atom, such as a TextFragment or a TheoryFragment (e.g. an Axiom), is an 
indivisible leaf of structuring and the smallest Structural Entity that can be shared 
(see Sec. 2.2 on structural sharing); it is usually not shown in the structure graph 
unless a visualisation of the micro-structure of a Unit is explicitly requested. 

Conceptual and Formal Structure. The (partial) ontology in Fig. 2 is tai- 
lored to the particular application domain of the MMiSS project: safe and se- 
cure systems with formal methods. While it is meant to be generally applicable 
and extensible, it also specially caters for formal, e.g. mathematical, documents. 
Therefore some of the Units or Atoms may be classified as formal; these are asso- 
ciated with a particular Formalism. A Formalism comprises, in general, a formal 
Syntax and (hopefully more often than not) a formal Semantics, cf. also Sect. 3. 
Examples are a Program in a programming language or a Theory in a specifica- 
tion language. Thus a formal Atom such as an Axiom, while being atomic from a 
document structuring point of view, may indeed have further substructure when 
analysed by a specialised tool. 

This way the structure graph contains the formal structure as a subgraph (cf. 
Fig. 14). A particular document may contain consistent formal sub-documents, 
e.g. a complete executable Program or a complete Theory, to be analysed to- 
gether. 

Sharing. Formal entities may be embedded piecewise (e.g. just an Axiom of a 
Theory), as they are being introduced and explained from a conceptual or peda- 
gogical point of view. However, it is also a good idea to present them together, 
possibly in a separate part of the same document. Thus they are exhibited as a 
consistent whole, both from a conceptual point of view (e.g. a complete Theory 
with all TheoryFragments put together) and the technical consideration of having 
a complete formal document that can be treated by a tool (e.g. analysis of a com- 
plete Theory or compilation and execution of a Program with input data). Note 
also that it is often necessary for pedagogical purposes to be able to present al- 
ternatives and variations in a document, even incomplete or intentionally wrong 
ones that should not be subjected to formal analysis. 

Units or Atoms of such a whole formal (sub)document may then be referred 
to repeatedly in other parts of the document; one would often wish them to be 
included as such instead of a mere Reference. Indeed, an entity will often appear 
in more than one place, e.g. as an Axiom in an explanatory Paragraph and as 
part of a consistent and complete Theory in an appendix. A copy will not do; 
common experience dictates that two copies of the “same” entity have a tendency 
to differ eventually. Thus structural sharing is needed, avoiding the danger of un- 
intentional difference: an Axiom named by a Label in one part of a document (or 
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a different document) may be included by an IncludeAtom operation, with a link 
to this Label, in another^. This operation will trigger a textual expansion in the 
presentation of the document such that both occurrences are indistinguishable in 
the presentation. In the source, the Axiom has a “home” where it can be edited, 
whereas it cannot be edited at the positions of the IncludeAtom operation. From 
a methodological point of view, it is preferable to maintain a complete Theory, 
which is, however, structured in such a way that links to a particular Axiom are 
possible from other places. 

Sharing is not restricted to formal entities. Indeed, whole sub-documents can 
be shared when composing a new document from bits and pieces of existing ones. 

Comprises and ReliesOn Relations. The textual nesting gives rise to con- 
tains relations and the include operations to includes relations corresponding to 
arrows in a directed acyclic graph, the structure graph, see Sect. 5.4 (cf. also Fig. 2 
and Fig. 14). An Axiom, for instance, is contained in a Section, while Sections 
are themselves contained in Packages. MMiSS defines a hierarchy of Structural 
Entities to define the contains relation, e.g. Packages, Sections, Units, or Atoms. 
The contains and includes relations are special cases of the comprises relation; in 
the sequel we will make use of this comprises relation to define an appropriate 
change management for MMiSS-documents. 

Besides the comprises relations, there is a family of reliesOn relations, re- 
flecting various semantic dependencies between different parts of a document 
(cf. Fig. 2). For example, an Assertion (such as a Theorem) livesin a Theory, a 
Proof proves an Assertion, an Example illustrates a Definition, and so on. In this 
case, we would usually like to insist on a linear order of appearance, i.e. the 
right-hand-side (target) of the relation should (textually) be presented before 
the left-hand-side. 

2.3 Packages 

Packages provide a means for modular document development by introducing 
name spaces. When writing a document, authors introduce identifiers as Labels 
for Structural Entities or as technical terms in an ontology. If these identifiers, 
subsumed as names in the sequel, are defined more than once, we say there is a 
name clash. 

A Package encapsulates the name space of a document, such that names de- 
fined in a Package do not clash with names from other Packages. In order to use 
names from other Packages, these have to be imported explicitly (see below). In 
other words. Packages are very much like modules in programming languages 
such as Modula-2, Haskell, or Java. 

Package Hierarchy. Packages are organised in a folder hierarchy, with the 
names given by paths. Because path names can get very long, paths can be re- 
named by Path declarations (aliases) of the form 



^ It is technically immaterial, whether the Axiom appears in the Paragraph and the 
IncludeAtom operation in the Theory, or vice versa. 
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a = P1-P2 Pn 

where a is the new alias, and pi,...,p„ are either folder names or previously 
defined aliases, subject to the condition that each alias is defined exactly once, 
and Path declarations are acyclic. 

There are three special aliases: Current refers to the folder of the Package it 
is used in; Parent refers to the parent folder; and Root refers to the root folder 
of the folder hierarchy (thus, the three special aliases correspond to and 

V’ in Posix systems). Users are discouraged to use the Root alias, since it makes 
reorganising the folder hierarchy difficult; it is mainly intended for usage by tools. 

Export and Import. The local names are those defined in this package (as 
opposed to names imported into the package). By default, all local names are 
exported. Imported names may be re-exported. It is not possible to restrict the 
export; rather, name clashes and restrictions are resolved on import. 

A Package specifies the imported packages in the ImportPrelude. The Import- 
Prelude contains a number of ImportPreludeDecIs; each specifies a Package to 
be imported, plus a number of import directives. Import directives allow us to 
specify: 

— Path aliases; 

— Local or global import (when importing globally, the imported names are 
re-exported); 

— Qualified or unqualified import (when an import is qualified, the imported 
Labels for Structural Entities are prefixed with the name of the Package from 
which they are imported); 

— Hiding, revealing, or renaming of imported names (when we hide a name, it 
is not imported - when we reveal names, only these are imported); 



2.4 Attributes 

The possibility to define Attributes is a central feature for a Structural Entity, 
cf. Fig. 3. Standard StructureAttributes are e.g. the individual Label and Title of 
some Section or Unit. 

Inheritance of Attributes. Most importantly, attribute inheritance to nested 
Structural Entities relieves the author from specifying Attributes over and over 
again and avoids cluttering; at the same time, an Attribute may be superseded 
for a nested “subtree” of Structural Entities. 

Authors and Version Attributes. Each Structural Entity has an Authors 
and a Version Attribute (see also version control in Sect. 6.2). These Attributes 
record the author(s) of each fragment (inherited to nested Structural Entity). 
The System automatically keeps track of PriorAuthors and the authorship of 
individual Revisions. 
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Fig. 3. (Partial) Attribute Ontology. 



Layout and Animation Attributes. As will be discussed further in Sect. 7.1 
and 7.2, presentation issues such as layout and animation should be separable from 
the “logical” content of a Structural Entity and should be confined to the neces- 
sary only. It is a relief that these can be specified independently as attributes and 
that attribute inheritance takes care of otherwise tedious repetition of logically 
irrelevant presentation detail. The specification, for example, that list items on 
a slide should be rolled out one after another could be specified at the root of 
a (sub)document and applies to it as a whole unless re-specified for a nested 
subdocument. Similarly, a revision of such a specification need only be made at 
its root. 



2.5 Variants 

Perhaps the most innovative feature of the MMiSS project is the definition 
of VariantAttributes and the management of documents with several different 
variants in a consistent way. 

Natural Languages. Let us take the LanguageAttribute as an example, cf. 
Fig. 3. A LanguageAttribute specifies the natural language in which a text is 
written, following the language codes of IETF RFC 1766 / ISO 639. The default 
is en-GB (British English), overriding the standard ANY attribute that is usually 
the default for the other VariantAttributes. Another example is de (German). 

Let us now assume that an author wants to manage e.g. English and German 
documents in parallel. Most probably, the author would want the structure of the 
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two documents to be identical as they are being used for the same purpose, e.g. 
slides for a Lecture. In this case, s/he may edit two copies of the same document 
side by side, e.g. in two separate windows of the XEmacs editor (cf. Sec. 5). 
These two variants should have the same structure, i.e. the same Structural En- 
tities, nested in the same way, where each of them has the same Label as in the 
other variant, resp. This ensures that the structures of the two variants can be 
compared, and are consistent and complete, during configuration management 
(cf. Sec. 6.2). In fact, in the Repository the two variants of the document are 
merged such that two variants can be identified for each Structural Entity. Thus 
the author may also edit one variant first and then the other step by step, for 
each Structural Entity separately, along the structure of the first. Similarly, an 
individual revision for one Structural Entity is possible, with the two variants side 
by side. 

The structuring relations introduced by these various notions of variants are 
represented in the MMiSS-system by the variantOf relation. 

Format and Formalism Attributes. The FormatAttribute takes care of dif- 
ferent formats for the same Structural Entity, such as PDF or EPS for Figures, 
or ASCII, XML or DTeX for a Casl specification. The FormalismAttribute de- 
fines the particular Formalism that a Structural Entity (and all its sub-entities) 
complies with, e.g. a specification language such as Casl; tools may then take 
advantage of this fact by checking for a special syntax in an ASCII source or 
generating a DTf^X variant from it for pretty formatting. The Formalism must 
be related to a particular ontology of FormalismAttributes, cf. also Sect. 3 and 
Sect. 2.2. 

Detail and Presentation Attributes. A document or an individual Struc- 
tural Entity may exist at several levels of detail during its development, and for 
different purposes (cf. the DetailAttribute in Fig. 3 and Table 1): a set of slides for 
a Lecture may be refined by adding annotations to LectureNotes, or further to a 
complete self-contained Course as a hyper-document for self-study. The Contents 
and Outline denote the underlying structure reflected in the table of contents, 
and this structure augmented by the various Summaries, resp. At the other end 
of the scale, conventional articles and books are located. 

Table 1 contains another dimension — the PresentationAttribute specifies var- 
ious kinds of presentation media: presentation on Paper, on a (black or white) 
Board, or as a Hyper document; further kinds specify presentation using an ex- 
ternal tool by Replay of a previously conceived script, or by an Interactive pre- 
sentation with the tool itself. 

2.6 Semantic Interrelation 

Declaration of an Ontology. Recall Fig. 1, the example of an ontology of 
Users and Roles. Such an ontology would be declared in MMiSSIFT^X, the DTeX 
extension of MMiSS to represent the Document Constructs (cf. Sect. 5.1), in the 
OntologyPrelude as follows (partially shown here): 
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\DeclClass{User}{User}{} 

\DeclClass{AcademicUser}{Academic User}{User} 
\DeclClass{StudentUser}{Student}{AcademicUser} 
\DeclClass{Role}{Role}{} 

\DeclClass{ReaderRole}{Reader}{Role} 

\DeclClass{TeacherRole}{Teacher}{ReaderRole} 

\DeclClass{StudentRole}{Student}{ReaderRole} 

\DeclClass{WriterRole}{Writer}{Role} 

\DeclClass{AuthorRole}{Author}{WriterRole} 

\DeclRel{*-*}{assumesRole}{assumesRole}{} 

\RelType{assumesRole}{User}{Role} 

Consider e.g. \DeclClass{StudentRole}{Student}{ReaderRole}, the dec- 
laration of a class. The first parameter, StudentRole, denotes the particular 
technical term we use in the ontology; the second, Student, the textual phrase 
that should appear in the text as default (see below); the third, ReaderRole, 
the superclass of StudentRole, from which properties are inherited. Analo- 
gously, \DeclObject{. . .} and \DeclRel{. . .} declare objects and relations, 
resp., whereas \RelType{assumesRole}{User}{Role} declares the type of a re- 
lation, in this case from the class User to the class Role; such a declaration 
may appear several times for different (sub)classes to allow specific typing and 
“overloading”. In the MMiSS ontology, such an OntologyDecI operation appears 
as a Prelude Operation in the OntologyPrelude, cf. Fig. 4. 



Table 1. Detail and Presentation. 

Paper Board Hyper 

Text-|-Pictures Manual Hyper-Medium 

Contents 
skeleton 
Outline 
abstracts 
Lecture 

presentation handout 

in class before class 

Lecture Notes 
annotated handout 

after presentation after lecture 
Course 

self-contained course script 

for self-study 



presentation on laptop browsing 

black/ white board during class 

annotated offline browsing 

manuscript personal annotation 

integrated personal navigation 

(manu)script 



Definition and References. An OntologyDecI is a kind of promise, that a 
corresponding OntologyDef will appear somewhere as an Prelude Operation in 
the source text of the document; e.g. \Def ClassfStudentRole} is the defining 
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Fig. 4. PointsTo Relations. 



occurrence for StudentRole, yielding “Studenf in the formatted document, i.e. 
the default phrase declared above. Such an OntologyDef operation may appear 
as an Embedded Operation anywhere in the source. 

Whenever a class, say, has been declared by an OntologyDecl, the technical 
term may be referred to simply as \StudentRole{} in the source text (or equiv- 
alently \Ref {StudentRole}), yielding “Student” in the formatted document. If 
an alternative phrase rather than the default phrase should appear, then e.g. 
\Ref [my role as a student] {StudentRole}, using an optional parameter for 
this phrase, will yield the desired “my role as a student”. 

An OntologyPtr, e.g. a Ref, may appear as an Embedded Operation anywhere 
in the source, before or after a corresponding OntologyDef. It will yield a hyper- 
text link for the PresentationAttribute Hyper. A full reference may be obtained 
by \Ref erence{StudentRole}, yielding “StudentRole (see 2.6, on page 94)”. 

Note that a relation is predefined as a macro with two parameters, thus 
\assumesRole{A }{ B} yields “A assumesRole B”, whereas \Ref{assumesRole} 
yields “assumesRole”. 

Resolution of Ambiguities. There are at least three reasons for having an 
extra technical term (the first parameter in an OntologyDecl): 

— the default phrase (the second parameter) may be translated into a different 
language variant of the ontology, assuming that the technical term remains 
the same for uniformity of language variants, 

— the technical term may be renamed upon Import from another package to 
avoid name clashes while the default phrase remains the same, 

— apparent ambiguities may be resolved by having two different technical terms 
with the same default phrase. 
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To illustrate the ambiguity issue consider the following example and its source: 

a Student assumes the role of a Student 
a \StudentUser{} assumes the role of a \StudentRole{} 

An apparent ambiguity (which is usually resolved by context in natural language) 
is resolved since there are two different technical terms in the example ontology. 
Note that a hyper-reference references the appropriate OntologyDef correctly. 

PointsTo Relations. Consider Fig. 4: a Reference references an OntologyDef, 
an OntologyDef designates an OntologyDecl. Both relations belong to the family 
of pointsTo relations, quite similar to the relation family reliesOn. 

Inheritance of Relation Properties. Consider an extract of the ontology of 
relations for Document Constructs: 

\DeclRel{*-*}{comprises}{comprises}{relatesDocConstructs} 

\DeclRel{<-}{contains}{contains}{comprises} 

\DeclRel{*-*}{includes}{includes}{comprises} 

\DeclRel{>}{reliesOn}{reliesOn}{relatesDocConstructs} 

\DeclRel{}{imports}{imports}{reliesOn} 

\DeclRel{}{livesIn}{livesIn}{reliesOn} 

\DeclRel{}{proves}{proves}{reliesOn} 

\DeclRel{}{after}{after}{reliesDn} 

\DeclRel{->}{pointsTo}{pointsTo}{relatesDocConstructs} 

\DeclRel{}{designates}{designates}{pointsTo} 

\DeclRel{}{ref erences}{ref erences}{pointsTo} 
\DeclRel{->}{variantOf }{variantOf }{relatesDocConstructs} 

These form a hierarchy, where each relation inherits the properties for its 
super-relation. Formal properties are indicated by symbols whose semantics is 
only sketched here: > denotes a strict order, -> denotes an onto-relation, etc. 

3 The Content Ontology for MMiSS Courses 

In this section we present the variety of courses produced and presented in 
the MMiSS project (see Sect. 3.1). Moreover we describe the content ontology 
structure (see Sect. 3.2) and its development process (see Sect. 3.3) that we 
are using for the MMiSS courses. In general these content ontologies provide 
the means for establishing the semantic structure to relate different parts of the 
teaching material. In this sense an ontology is an explicit formal description of 
concepts in the domain of discourse. 

3.1 MMiSS Courses 

The MMiSS courses are divided into three areas for differently experienced au- 
diences. Basic courses are provided for the subjects logic, data models and event 
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models. We provide advanced courses for the subjects verification, data specifica- 
tion and reactive systems. Moreover, there exist specialised courses for subjects 
like formal software development, security and safety critical systems. For each 
subject shown in Fig. 5 several courses have been prepared and presented at the 
partner universities of MMiSS and also at other universities such as TU Berlin, 
TU Dresden, Univ. of Swansea, etc. For a detailed listing of all courses visit the 
MMiSS website (see [16]). 



Introductory Courses 



Introduction 




Introduction 




Introduction 


to 




to 




to 


Logic 




Data Models 




Event Models 



Advanced Courses 



Logic 

Rqiresenlation & 
Verification 




Data 

Specification 




; Reactive Syst. 
Specification 



Specialised Courses 



Formal 

Software 




Object-Oriented 

Software 




Safety Critical 
Systems 




Security 


Development 




Engineering 









Fig. 5. Structure of MMiSS Courses. 



3.2 The Ontology for Formal Methods 

Although ontologies exist for many applications we are not aware of any ontol- 
ogy for formal methods. However, we base our ontology on several approaches 
for classifying and defining topics related to formal methods such as the ACM 
classification scheme [1], Astesiano and Reggio’s work on defining a schema for 
formal development techniques [3], Clarke and Wing’s survey on formal methods 
[8] and Steffen’s framework for formal methods tools [26] . 

For describing the ontology of Formal Methods and its instances in UML we 
use class and object diagrams; cf. the introductory example in Sect. 2.1. The 
class diagrams serve as representation for the abstract notions such as Domain, 
Engineering Method, Formal Method, Formalism, Language and Tool. The object 
diagrams represent the instances of the abstract notions. Typically, particular 
concepts chosen in a course are represented by object diagrams (see Sect. 3.3). 
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The most general notion to describe a topic of research or teaching is the 
notion of Domain (see Fig. 6). A Domain is characterized by a number of Con- 
cepts and can have zero, one or more subdomains indicated by the association 
(relation) isSubDomainOf. Additionally, a Domain uses other Domains (the top 
level associations like isSubDomainOf and uses are not shown in Fig. 6). 

Other classes are specializations of Domain and inherit its associations such 
as isSubDomainOf and uses. For example, since the class Engineering Method (see 
Fig. 6) is a specialization of Domain, it inherits the subdomain relation and the 
relation to Concept. Additionally, an Engineering Method appliesTo (zero,) one 
ore more Domains, it isSupportedBy Tools and its pragmatics are described by 
Processes (see [3]). Note that in our presentation the multiplicities of an associ- 
ation are indicated below the association name. Moreover, the multiplicities of 
the association ends are separated by a hyphen. 




Fig. 6. Semantic Structure of Engineering Method and Formal Method. 



The class Formal Method (see Fig. 6) is a specialization of Engineering Method 
with the particular feature that any instance of Formal Method is based on a For- 
malism. Formal Methods are classified into Specification Technique and Analysis 
Techniques; Verification Techniques is a subclass of Analysis Techniques (see [8]). 
Any Specification Technique serves to specify some System V/ews such as the 
data view, functional behaviour, concurrent behaviour, performance view etc. 
The class Formalism (see Fig. 7) is another specialization of the class Domain. 
A Formalism has one or more associated Languages and a Theory consisting of 
Definitions and Theorems. Any Language (see Fig. 8) has several Language Con- 
structs, Language Classifications such as natural, functional, object-oriented or 
real time language (see [1]), and can be supported by some Tools. Moreover, 
any Language possesses a Language Definition consisting of a Syntax and possibly 
of one or more Semantics. We specialize languages into Programming Language, 
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Fig. 7. Semantic Structure of Formalism. 




Fig. 8. Semantic Structure of Language. 



Specification Language, Logical Language and possibly other kinds of Languages 
which are not represented here. 



3.3 Systematic Construction of Ontologies 

For constructing ontologies of particular courses in the area of Formal Methods 
we proceed as follows: We base the ontology of the course on the general model 
of Formal Methods as outlined above. In a first step, the general model is ex- 
tended by new abstract Domains of the course that are not yet covered by the 
general model. In a second step, object diagrams of the ontology specific to the 
course are constructed according to the extended general model. We give an 
example of this procedure by describing (part of) the ontology of the course 
’Foundations of System Specification’ which is held regularly at LMU Miinchen. 
This course presents formal techniques for specifying and refining complex data 
structures, state-based systems and reactive systems. The underlying Formal- 
isms are algebraic specifications based on the Language Casl for data structures; 
model-oriented specification techniques based on the Language Zfor state-based 
systems, and Lamport’s Temporal Logic of Actions for reactive systems. In the 
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Fig. 9. Extension of the Model by the Languages CASL and Z of the Course. 




Fig. 10. Ontology for the Alg. Specification Formalism of the Course. 



following we present the ontology for the specification of data structures and 
state-based systems. In a first step the class diagram of Language is extended 
by Z and Casl which form two new subclasses of Specification Language (see 
Fig. 9). 

The specific instance of Casl [2, 13, 6, 18] used in the course is the version 
CASL 1.0. It is classified as Specification Language; its Language Constructs are 
partitioned into Basic CASL Specification, Structured CASL Specification, Archi- 
tectural CASL Specification and Library CASL Specification. CaslI.O has formally 
defined CASL Syntax and CASL Semantics; its CASL Toolsuite consists of parsers, 
theorem provers and pretty printers (not detailed here; cf. [17]). 

The specific instance of Formalism called FSD Algebraic Specification of the 
course uses basic facts about FSD Signatures, FSD First Order Logic and FSD 
Universal Algebra to explain the associated FSD Algebraic Specification Theory. 
Different notions of refinement including their main properties and a translation 
from executable specifications to the functional Programming Language SML are 
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presented (see Fig. 10). The instances of the ontology are prefixed by ’FSD’ since 
they refer to those notions and Theorems of a Formalism of a Theory which are 
presented in this course. The particular approach of the course to formal devel- 
opment of algebraic specifications is shown in Fig. 10. Algebraic Techniques are 
used in the context of data specification and the development of functional pro- 
grams. The chosen development process (the pragmatics) is stepwise refinement. 

4 Support Environment 

In this section we give an overview on the Support Environment integrating the 
authoring, the management, and the presentation tools for multimedia courses. 
The Support Environment developed in the MMiSS project aims at the following 
goals: 

Authoring. Authors have to be supported in the development and maintenance 
of their course material. This comprises the production of new documents, the 
adaption and revision of existing courses, the import of existing documents 
(e.g. slides), but also the composition of existing courses to create a new 
course. MMiSS supports editing and creating of documents using a synthesis 
of textual and graphical interaction, combining a graph editor to manipulate 
the structure of a document and a text editor to edit the actual text. 
Management. The development management is responsible for persistency, 
consistency, and accessibility of the teaching material (Repository), and it has 
to treat version control, configuration management and change management 
(Development Manager) for consistency and the dependencies between the 
document components (via the ontology). It provides an interface mechanism 
to call external applications to allow for the presentation of such tools during 
the course or the collection of practical experiences when doing exercises 
within these tools. Additional support is given by a flexible user management 
with administration support and the possibility for integrating typical tools 
for electronic communication. 

Presentation The use of the learning material will be supported in different 
kinds of teaching scenarios: by a Teacher, Tutor or Student on various presen- 
tation platforms, or for individualised self-study by a Student using Active- 
Math (see Sect. 7.3). Moreover, Students and Correctors use Web Assign 
for assignments. 

To achieve the above goals we have designed an open architecture that inte- 
grates subsystems developed by the different partners. Fig. 11 shows the major 
components of the Support Environment. 

In the following sections we illustrate the individual components for author- 
ing, maintenance and presentation in more detail. 

5 Authoring Tools 

The MMiSS tools allow users to produce, maintain and present course material. 
As mentioned before, one of the key design ideas is to provide means for making 
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Fig. 11. MMiSS Support Environment System Architecture. 



semantic relations in the course material explicit. However, standard languages 
that are normally used to represent course material, such as PowerPoint or 1AT[;]X, 
do not support such semantic relations. Therefore, on the one hand MMiSS 
provides extensions of both languages to cope with such relations, and tools 
to import existing course material into MMiSS. On the other hand, MMiSS 
provides an authoring tool to create new course material in a structured way 
using graph and text editing facilities. Below we illustrate these features in more 
detail. 

5.1 MMiSSLaTeX 

HTeX is a generally accepted language to produce technical documents and 
course material of high print quality. Although 1ATJ;]X comes with some structur- 
ing mechanisms it still lacks the expressiveness to formulate many of the struc- 
turing mechanisms presented in Sect. 2. In order to support all these mechanisms 
of MMiSS, we developed a HTEX-style authoring language called MMiSS/?!^, 
consisting essentially of a library of HT[;;]X class files. MMiSSI^T^X provides com- 
mands for each of the structuring operations presented in Sect. 2. Technically, 
most of them are defined as environments, e.g. for sections, definitions, or lists. 
The attributes are given as optional arguments to the environments or commands. 

A document can be typeset using normal HTeX with the help of the MMiSS- 
lAr^X class files to generate documents in PDF, Postscript or other formats. For 
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\begin{Paragraph} [Label=Algebra, Title=Algebra] 

Algebras are models of \Signature{}s . 

\begin-[Def inition} [Label=Def Algebra, Title={$\Sigma$-Algebra}-] 
An \Emphasis{Algebra} $A= (S_A, \0mega_A)$ for a signature 
$\Sigma=(S, \0mega)$ ($\Sigma$-Algebra) is given by 
\begin-[List}- [Label=AlgebraComponents , ListType=itemize] 

\item 

for each sort $s\in S$, a \Emphasis-[carrier set} 

$A_s\in S_A$; 

\item 

for each operation $\omega: s_l\ldots s_n\rightarrow s$, an 
operation $\omega_A : A_-[sl}\ldots A_-(sn}\rightarrow A_s$. 
\end{List} 

\end{Def inition} 

\end{Paragraph} 

Fig. 12. Example of a MMiSSI^TeX document: Definition of an Algebra. 



Terms over a Set 




5 


Algebras 






Algebras are models of signatures. 

Definition (E- Algebra); 

An Algebra A = (5,4,11.4) for a signature E = (5,11) 
(E-Algebra) is given by 
• for each sort s € 5, a carrier set A, € 5,4; 




• for each operation u; : Si . . . s„ ^ s, 
‘^A '■ Asl • • • Asm ^ As- 


an operation 




C. Luth. M Roggenbach. Algebraic Specification. 12.09 2002 




ill* 



Fig. 13. The example from Fig. 12, rendered as a slide. 



example, Fig. 12 shows a MMiSSIATeX source text in which the concept of an 
algebra is defined; with I^Tj;]X this is rendered as the slide shown in Fig. 13. More- 
over, MMiSSI^T^X serves as an authoring and input language for the MMiSS 
repository. 

5.2 PowerPoint 

In order to migrate existing slides and to relieve the authors from the burden 
of writing content in an unfamiliar language, tools which allow the import of 
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PowerPoint slides into the MMiSS-repository have been developed. The tool 
CPoiNT, developed at the Carnegie Mellon University by Andrea Kohlhase, 
translates PowerPoint slides into OMDoc, which is another exchange language 
of the MMiSS-repository; CPoint enriches PowerPoint documents with addi- 
tional semantical information, like the semantic structuring relations mentioned 
in Sect. 2, or with other metadata, like for instance authors or date, and finally 
translates these annotated slides into OMDoc. As OMDoc documents, the 
slides can be imported into the repository. CPoint makes use of the QMath 
tool to parse and translate mathematical formulas occurring inside the slides. 

5.3 Interactive Course Creation 

To edit material, MMiSS provides a graphical interface based on the graph vi- 
sualisation system daVinci [9,4] and the XEmacs editor [29]. The idea is to 
visualize and edit the various structuring relations contained in MMiSS docu- 
ments in a graph editor while a text editor is used to deal with the basic text 
fragments (like Units, see Sect. 2.2). The predominant interaction paradigm is 
direct manipulation — authors do not have to learn cryptic command lines to 
interact with the system, they can just point at the entity of interest, or select 
from a menu of given choices. 

5.4 Structure Graph 

According to the structure of MMiSS documents in Sect. 2, a Structural Entity 
is an entity such as Section, Program, Exercise, TextFragment, etc. These entities 
are related, most obviously by textual nesting, but also by structural Links or 
References. This structure gives rise to the structure graph, which has the various 
entities as nodes, and the relations as labelled, directed edges. With regard to 
the comprises relation, the graph is directed and acyclic, but it is not a tree, since 
a Structural Entity may be included in more than one place (structural sharing). 

As an example, consider a real-life lecture series introducing formal program 
development in the algebraic specification style to undergradute computer sci- 
ence students. One section of this lecture series, corresponding roughly to one 
lecture, introduces the basic concepts of algebraic specifications. The document 
is structured as follows: 

— it has a short Introduction motivating what is going to come, 

— an Abstract summarising the new concepts, 

— the main part consisting of Paragraphs, introducing and defining the concepts 
of Signatures, Algebras, and Terms, 

— followed by a short Example (the natural numbers in Case), 

— and closes with a Summary of the new concepts. 

Introduction and Summary contain a list enumerating the concepts the user is 
about to learn, or has just learned. The main parts are Paragraphs, which are 
structured further: for example. Signatures, Algebra and Terms contain defini- 
tions of the corresponding concept. The resulting structure graph is shown in 
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Fig. 14. Structure Graph of Example Document. 



Fig. 14. Note how later Definitions and Examples refer back to earlier Definitions 
(indicated by dashed arrows), for example to define an Algebra we need to refer 
to Signatures. 

Thus, each node represents a Section (shaded yellow). Unit (shaded green), 
or Atom containing the description of the corresponding notion in more detail. 
In order to edit this description the user can select a node, corresponding to a 
Repository object, and its code is loaded into the XEmacs editor (see Fig. 15). 
A special MMiSSIATeX mode gives the user additional editing assistance, e.g. to 
insert environments or commands. Documents can be edited in the MMiSSDTeX 
exchange format using a particular MMiSSIFTeX mode; thus other editors may 
be used as well. 

Since a Structural Entity can get quite large (for example, a whole Package), 
we only display one level in the XEmacs editor; nested Structural Entities are 
displayed by clicking buttons. For example. Fig. 15 shows the Paragraph labelled 
Algebra being edited. It contains the definition labelled DefAlgebra, which 
has been opened, and the user is just about to open the list AlgebraCompo- 
NENTS. 

The Repository objects in the Repository are organised in folders, which allow 
the grouping of Repository objects much like directories in a file system. Folders 
may contain other folders, or MMiSS Structural Entities, i.e. Sections, Units or 
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Fig. 15. The Structure Graph: Editing the Definition of an Algebra. 



Atoms. The structure graph contains the hierarchy of folders and, at the leaves of 
this hierarchy, the structure of the Repository objects inside a Package, as nodes, 
with edges corresponding to the comprises relation (resulting from nesting and 

structural sharing). 

6 Sustainable Development and Maintenance 

The MMiSS Repository is the central database maintaining MMiSS documents. 
Sustainable development is supported by fine-grained version control, configura- 
tion management and a change management. The structured representation of 
documents as graphs allows operations to take the structuring into account (see 
e.g. change management described in Sect. 6.3). It is also the basis for a con- 
figuration management to control various versions of a document. We call such 
graphs together with the possible activities a development graph. 

The Repository is implemented almost entirely in the functional programming 
language Haskell [11] in about 60 Kloc. It uses the open source data base 
BerkeleyDB [25] to store documents. The graph visualisation system daVinci, 
the graphical user interface library Tcl/Tk [21] and the XEmacs editor are 
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encapsulated in Haskell. These encapsulations are available separately, and 
can be used independently, in particular the Tk encapsulation, called HTk [23]. 

The content model is generic over the XML DTD used (although of course 
the structure parsers for the external exchange formats are not), so the Repository 
can be used for other document formats as well. More importantly, small changes 
and extensions in the DTD can be implemented directly without needing to 
recompile the Repository. To parse the DTD and the documents, we use the 
Haskell XML library HaXML [28]. 

6.1 Representation 

The principal representation and external exchange format for documents in the 
Repository is MMiSS-XML, a straightforward translation of the Document Con- 
structs introduced in Sect. 2 into XML. However, XML is not meant to be read 
or written by human users, and tools have their own input formats, hence for 
presentation and editing purposes, we need external exchange formats. An ex- 
terna/ exchange format is incorporated into MMiSS by implementing a structure 
parser, which converts documents in the external exchange format, like MMiSS- 
HTeX, into MMiSS-XML and back. More external exchange formats will be 
added if and when editing and presentation tools accepting and requiring these 
formats shall be incorporated into the MMiSS system. 

6.2 Version Control and Configuration Management 

The art of keeping track of the evolution of complex systems in general, and 
complex documents in this particular case, is called configuration management. 
Changes to a documents have to be organised and recorded, such that earlier 
configurations can always be retrieved. While usually configuration objects are 
source files, we follow here a fine-grained approach using Structural Entities of 
MMiSS, like Sections, Units or Atoms or associated Attributes, as configuration 
objects. 

The version graph is the representation underlying version control. Nodes of 
the graph represent different versions of Repository objects while edges denote the 
RevisionOf relation. An author always starts interaction with the Repository by 
picking a version under development from the version graph. This version will be 
checked out into the user’s local filespace and can then be edited. Fig. 16 (left) 
shows a typical version graph, as displayed by daVinci. Version 1.5 is the current 
working version (as visualised by the red shade); it is edited as shown in Fig. 15. 
When finished with editing, a user may commit changes back into the Repository 
(or may just dispose of them silently). New versions of the changed Repository 
object and of all Repository objects containing the changed Repository object are 
created. Thus, new versions are propagated upwards: a change in a constituting 
Repository object results in a new version of the parent Repository object, all the 
way up to the root folder. 

When a Repository object has more than one Repository object which is a 
revision thereof, we say this is a span in the version graph. For example, in 




MultiMedia Instruction in Safe and Secure Systems 



107 




Fig. 16. Version Graph displayed by daVinci (left); Merging of Versions (right). 



Fig. 16, there are three spans, starting at the versions 0.1, 1.0 and 1.2. A span 
corresponds to concurrent revisions of one object. It can be reconciled by a 
merge: users can pick the source versions from which they wish to incorporate 
all changes into one new version, which then becomes a revision of all the source 
versions. Fig. 16 (right) shows the merging of versions 1.1a, 1.3 and 1.4 to form 
a new version 2.0. 



6.3 Change Management 

The notion of change management is used for the maintenance and preservation 
of consistency and completeness of a development during its evolution. More 
precisely, we want to have a consistent configuration in which all constituents 
harmonise, versions are compatible. References and Links refer to the proper 
targets, etc. At the same time, it should be a complete configuration: e.g. the 
promises of forward References and Links should be fulfilled, i.e. they must not be 
dangling; if we have an English and a German variant of a whole document, then 
we expect to have a corresponding German variant for each English variant for 
all constituent Structural Entities, with the same overall structure and relations, 
and vice-versa. 

Such notions are well-known for formal languages; in contrast, natural lan- 
guage used for writing teaching material does not usually possess a well-defined 
semantics; the notion of consistency is debatable. Different authors may postu- 
late different requirements on the material in order to regard it as being consis- 
tent. The existence of an ontology already helps a great deal to check References. 

It turns out that the notions of consistency and completeness are closely re- 
lated to the Document Constructs and relatesDocConstructs relations. For special 
FormalismAttributes, additional structuring relations may be explored by special 
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tools operating on these. Casl, for instance, offers the notions of extension, 
union, etc., to define dependencies between specifications. 

The change management keeps track of the various structuring mechanisms 
described in Sect. 2. Below we will tentatively explore various properties of the 
individual structuring mechanisms to illustrate possible notions of consistency 
and completeness and their interaction. Postulating such invariant properties as 
requirements on the consistency and completeness of a document, and formulating 
these invariants as formal rules, will enable us to implement a generic and flexible 
change management that keeps track of the various invariants and informs the 
user about violations when a previously consistent document has been revised. 

Properties of Individual Structuring Mechanisms. For each of the struc- 
turing mechanism described above we can formulate various invariants that are 
prerequisites for consistency or completeness. Some of these are enforced by the 
underlying structuring language (MMiSSI5TeX) but others may be violated once 
the user revises a document. 

Obviously the comprises relation is reflexive, transitive and antisymmetric 
denoting an acyclic finite graph (which is actually a subgraph of the structure 
graph). These properties are trivially enforced by the Document Constructs. We 
may want to require additional invariants for consistency, e.g. that each major 
Structural Entity (such as Package or Section) contains at least one Unit or Atom, 
or that there is at most one Summary in a Section. 

Each reliesOn relation or pointsTo relation is irrefiexive and acyclic. We would 
also postulate as a consistency requirement that there is at most one target, 
i.e. the relations are in fact many-to-one; a completeness requirement is that 
that there is at least one target, e.g. References must not be dangling; both 
together require a unique target. Furthermore, for reliesOn relations, we require 
the target to be presented beforehand. However, the completeness requirement 
may be weaker for pointsTo relations as we tolerate forward pointers, even to 
other, future Packages (warnings should be given, though). 

Regarding special FormalismAttributes, we adopt their reliesOn relations and 
corresponding properties. Axioms in Casl, for instance, depend on their global 
environment resulting from fragments of the Theory that specifies the signature 
of the symbols used in the Axioms. 

The semantics of the variantOf relations depends on the various types of vari- 
ants. Regarding variants in different languages (or on different levels of detail), 
we impose the completeness requirement that each variant in one language must 
have a corresponding variant in the other, for each constituent Structural Entity, 
with the same overall structure and relations (as an option, for each level of 
detail, and so on). Similarily one will be able to specify, as a consistency re- 
quirement, that all Programs should be in a particular FormalismAttribute, e.g. 
the programming language Haskell. A corresponding completeness requirement 
would be that we have, for each Program, a variant in programming language C 
and Java, e.g. for different Teachers of a course. 

Properties of Interactions between Structuring Mechanisms. While the 
properties mentioned above are specific to an individual structuring mechanism. 
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we will explore possible interactions of different structuring mechanisms and how 
they can be used to refine consistency and completeness. 

Relating the comprises and reliesOn relations (we subsume pointsTo relations 
here) allows us to formalize constraints regarding the closure of document parts 
with respect to the reliesOn relation. We may require, for example, that there 
is a Proof for each Theorem in a Package or that each Reference references an 
OntologyDef occurrence in this Package unless there is an explicit import. Fur- 
thermore, a reliesOn relation between two Structural Entities is propagated along 
the comprises relation towards the root of the hierarchy of nested Structural Enti- 
ties. Consider, for example, a Proof in Section A that proves a Theorem in Section 
B, then Section A reliesOnSection B. Conversely, a reliesOn relation between two 
Structural Entities cannot be decomposed and propagated towards the leaves. 
Changing (parts of) one of them can affect the proposed reliesOn relation. 

The interaction between the comprises and the variantOf relation is rather 
subtle and has not fully been investigated yet. For example, we expect the struc- 
ture of a document with the DetailAttribute Lecture to be a homomorphic pro- 
jection of the corresponding structure with the DetailAttribute Course. 

Similarly, the interaction between the reliesOn relation (or pointsTo relation) 
and the variantOf relation merits further investigation. It is not clear what kind 
of relations across variants are desired, if any. In principle, each variant should 
be closed with respect to reliesOn relations, i.e. all targets should be provided in 
that variant. An exception might be an explicit pointer to material in a lecture 
from a course, but then this material should be included in the course anyway 
as a completeness requirement. The converse is more likely: one might want to 
make a pointer into a more detailed course or lecture notes document from slides 
in a lecture. 

In any case, the more structure there is, the better are the chances for preserv- 
ing consistency and completeness; any investment in introducing more reliesOn 
relations, for example, will pay off eventually. The change management will ob- 
serve whether revisions by the user will affect these relations and, depending 
on the user’s preferences, emit corresponding warnings. It is crucial to point out 
that, in contrast to formal developments such as in the MAYA-system [24], there 
is no rigorous requirement that a document should obey all the rules mentioned 
above. There may be good reasons, for instance, to present first a “light-weight” 
introduction to all notions introduced in a Section before giving the detailed def- 
initions. In this particular case, one would want to introduce forward pointers 
to the definitions rather than making the definitions rely on the introduction; 
thus the rules are covered. The eventual aim of the MMiSS-design is to allow 
the user to specify her individual notion of consistency by formulating the rules 
the relations between the various structuring mechanisms have to obey. 

6.4 Foreign Tools and Administration 

A User Management component supports a simple user model with different Roles 
and handles the access rights of Authors, Teachers, Students, Tutors, Correctors, 
and also ToolDevelopers, System Developers, and Administrators (cf. Sect. 2.1). 
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Web Assign. The Web Assign system developed at FernUniversitat Hagen (see 
[7] or http://niobe.fernuni-hagen.de/WebAssign) supports web-based distribu- 
tion, correction, and administration of course related assignments. Assignments 
may have interactive parts where system gives direct feedback to the student. 
Web Assign also manages the integration of external tools (such as compilers) 
that check student answers or provide help in other ways. In addition, We- 
B Assign provides a flexible administrative support. The Web Assign subsystem 
is presently being integrated. 



7 Presentation 

In this section, we concentrate on presentation issues such as layout and animation, 
and show how they can be realised using the authoring language MMiSSIFT^X. 

In general, presentation issues should be separated from issues of represent- 
ation in an abstract form (MMiSS-XML here), which can also serve as an 
external exchange format. In fact, the Author should be relieved from tedious for- 
matting as much as possible. Therefore, work is under way to isolate layout and 
animation as attributes. Ideally, tools will generate different presentation forms 
automatically. The subsystem ActiveMath, which is developed separately, is 
integrated via a mapping from MMiSS-XML to OMDoc and provides user- 
adaptive presentation based on pedagogic rules. 



7.1 Layout in MMiSSLaTeX 

Annotating Slides. At Universitat Freiburg, experiments have been made 
to enhance slides for the course Computer- Supported Modelling and Reasoning 
(held regularly each year) towards a self-contained online course. We will report 
on our experiences below; they have led to new insights into the best ways of 
defining the layout (and animation) of the DetailAttribute LectureNotes and, to 
some extent. Course. 

Usually, slides for a lecture are sketchy and rely on the oral presentation of the 
Teacher. So in order for the slides to be adequate for self-study, an apppendix has 
been added to each slide suite containing detailed explanations. There is a rich 
structure of pointers (hyperlinks resulting from References and Links), mainly 
going from some item in the lecture slides to an explanation of that item, but 
also many other pointers to even more detailed explanations, and forward and 
backward pointers within the slides. For example, whenever there is a sentence 
starting with “Recall that . . . ” , there is a pointer to the corresponding previous 
item in the lecture, usually a Reference to the OntologyDef occurrence of an 
element declared in the ontology. 

In fact, the slides of the lecture have been extended (as a refinement) to a level 
of detail that we would now regard as lecture notes for review by a Student after 
attending class; a self-contained online course without any tutoring would require 
yet a higher degree of verbosity. The tentative experience seems to indicate that 
different explicit levels of detail, depending on the Student’s learning profile, are 
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not so important. The level of detail develops dynamically during a learning 
session depending on the pointers the Student decides to follow. 

However, in its current form the lecture notes is not very suitable for print- 
ing. At the least, the detailed explanations would have to be interleaved with 
the lecture slides so that an explanation immediately follows the slide referred 
to, and other pointers (References or Links), which are not hyperlinks anymore, 
have to be augmented by “(see Sect. . . . )” or “(see page ...)”. This empha- 
sises the need for a more abstract representation format and tools for generating 
different output formats automatically, cf. Sect. 2.5. In fact, a different presen- 
tation for a Reference or Link is now being generated in MMiSSI5TeX, depending 
on the PresentationAttribute: a hyperlink for Hyper and an extended text “(see 
Sect. . . . )” for Paper. 

To give a quantitative assessment of the material involved, one can say that 
extending lecture slides to a lecture notes at least doubles the size of the sources. 
A typical lecture notes slide will contain around five pointers. We will further 
extend the material as Student feedback reveals where more detail is needed. 

Board Presentation. The Board PresentationAttribute of MMiSSIATeX (cf. 
Sect. 2.5) allows for preparing a ‘shooting script’ of courses. In addition to the 
slides to be presented, such a script may also include notes on 

— what to write on the board, 

— which interactions with the students shall take place, 

— important oral remarks etc. 

during a lecture. Thus, while the annotated slides for online learning provide 
help for the students, the Board PresentationAttribute is a means of support to 
the lecturer during the course presentation. Slides to be presented are included 
as pictures between text blocks to be written on the board. These text blocks 
are structured by the same environments as available for slides. During the lec- 
ture, this kind of presentation helps to keep overview on the course material: 
the lecturer sees more than the slide currently presented; personal notes of all 
kinds can be included; tedious but important things like a uniform numbering 
of chapters, sections, environments, etc. are done automatically. 

While preparing a lecture in the Board style of MMiSSIATeX, text blocks or 
graphics can easily be shiftet between slide- and board-presentation thanks to 
the uniform naming of the structural entities. Technically, this is done by adding 
or removing the Board PresentationAttribute. This makes it possible to postpone 
the decision on how to present a certain item to the very last translation before 
presentation. In the electronic version of the resulting script, it is possible to 
run tool demonstrations included in the slides. Thus, one should consider the 
shooting script prepared in this way as the all inclusive document of a course’s 
presentation. 

Concerning the board content, one should be aware that it is of a different 
type than the material on slides: while slides are intended for presentation to 
students, only the lecturer will see the contents with the Board Presentation- 
Attribute. This allows board content to be less detailed, for instance the following 
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might suffice: ‘ex-tempore example: model an automaton with the signature 
provided by the above specification’. From a didactical point of view, such ex- 
tempore examples — maybe even suggested by the audience — are often better 
and far more impressive than examples, which are prepared in all details before 
the presentation. Of course, the same type of argument carries over to proof 
sketches instead of complete proofs. The Board PresentationAttribute allows also 
to include this kind of reminders in the course’s shooting script. 



7.2 Animation in MMiSSLaTeX 



[AVB]1 BVA 
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Ay B ^ By A 

Fig. 17. Derivation tree 



With respect to animation, we focus here on a presentation (e.g. of a slide in a 
lecture, but also of lecture notes in the Hyper variant) where parts are gradually 
appearing or disappearing in a sequence of displaying steps. The simplest and 
best-known case is that of an incremental buildup of a page: each step adds new 
text below the text already presented. These and more complex effects can be 
very useful in a lecture to illustrate how some complex object is built up step 
by step; the effect is similar to a presentation on the board. They are even more 
useful for lecture notes or a self-contained course as no Teacher is available. 

So far, such steps have been realised by so-called pause levels in PDFIATf^^X 
using the PPower4 package [10]. 

Courses involving logic give rise to 
a particular application of animation ef- 
fects, namely animated derivation trees. 

A derivation tree is shown in Fig. 17. The 
PTp^X package proof for drawing such 
trees has been extended to support ani- 
mation: the particular logical structure of 
derivation trees and the general input syntax for such trees is taken into account. 

For each tree, one can specify at which pause levels it should be displayed. For 
each (sub)tree, one can again specify at which pause levels it should be displayed, 
overriding the specification for the surrounding tree. Derivation trees involve 
applications of rules, e.g. — >-J. Each rule application can be associated with the 
discharging of an assumption, marked by brackets around the assumption and 
labelling both the rule and the brackets with a number. We have automated 
this process: the numbers are administrated using symbolic references (making 
it easy to compose trees). Moreover, the brackets and their label will by default 
inherit the pause level from the rule application. For example, one could specify 
that the whole tree (and hence its root step marked by rule — >-J) appears from 
pause level 4 onwards, whereas the assumption Ay B at one of the leaves appears 
from level 2. Then, by default, the brackets around Ay B and the label (here: 
1) will appear from level 4 onwards. 

Derivation trees can be quite complex and the process of constructing them 
is very hard to understand based on static illustrations. We therefore found the 
new style package very useful. 
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7.3 User Adaptive Presentation in ActiveMath 

The ActiveMath project [14] was started independently from and before the 
MMiSS project and has provided a lot of valuable ideas. 

Goals. In the previous sections it became clear that producing on-line learning 
material involves a lot of effort and that reusability in different contexts and 
for different presentations and presentation formats is a must in the develop- 
ment of future learning material. As one conclusion, a more abstract, semantical 
XML knowledge representation, OMDoc [12], has been developed and in addi- 
tion, presentation tools and other functionalities of the learning environment are 
strictly separated from the knowledge representation of the learning content in 
ActiveMath and can thus deliver different output formats, different hyperlink- 
ing, different presentations of symbols and formulas, personalized appearances 
etc. 

Apart from these economically and technically-driven developments, a ma- 
jor goal of multimedia on-line learning is a better quality of learning. This ob- 
jective calls for pedagogically and cognitively motivated features of a learning 
system which include personalization of content and appearance, the provision 
of feedback, and presentation according to the learning progress. For instance, 
a learner becomes bored and less motivated when the material and exercises are 
too easy for her and not challenging at all. Similarly, the learner’s motivation will 
drop considerably when material and exercises are beyond her capabilities and 
knowledge mastery level. Therefore, a few advanced intelligent tutoring systems 
~ including ActiveMath - adapt the content and its sequencing to the learners 
goals, capabilities, and learning preferences/scenario. 

Knowledge Representation. ActiveMath was the first system that uses 
the knowledge representation OMDoc [20]. OMDoc is an extension of the 
OpenMath XML-standard^. OpenMath provides a grammar for the represen- 
tation of mathematical objects and sets of standardized symbols (the content- 
dictionaries). OMDoc inherits the grammar for mathematical objects from 
OpenMath and the existing content-dictionaries. In addition, OMDoc defines 
a framework for the definition of new symbols. 

The objectives of OMDoc and MMiSS-XML are quite similar: OMDoc 
was originally more tailored towards mathematical content and is being extended 
now; MMiSS-XML has had more general objectives, is more tailored towards the 
document Document Constructs described above and the input language MMiSS- 
IFTeX; MMiSS-XML can be mapped to OMDoc and vice-versa — efforts are 
presently being made for further unification. 

The metadata in core-OMDoc include the Dublin Core [27] metadata such 
as contributor and publisher. The ActiveMath DTD extends OMDoc (see 
e.g. [15]) and contains additional ~ pedagogically motivated - metadata such as 
difficulty or field of an exercise and the prerequisite-of relation of instructional 
items for a concept that allow even more customization of the document delivery 
to the studen t and her learning situation. 

^ http://www.openmath.org 
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Adaptive Presentations. Thanks to a user model that stores and updates 
the learner’s preferences, goals, activities, and mastery levels, ActiveMath is 
able to present the learning material in a user-adaptive manner, content-wise 
and presentation-wise. In the table-of-contents a color-annotation informs the 
student about her mastery level for concepts to be learned. 

The flexibility of the presentation process also chooses a low slide-verbosity 
or a high script-verbosity of the material according to the learner’s needs. A 
slide presentation can automatically be (hyper-)linked to the more verbose ex- 
planations and other instructional items from the script sources. 

Mathematical objects/symbols in the presentation have a semantic annota- 
tion that points to the meaning of the symbol in the content dictionary. This 
enables functionalities such as copy and paste of mathematical formulas to a 
service system’s console. 

The transformation from assembled XML content items to the actual output 
format is realized with a modular presentation process with style sheet applica- 
tion at its heart. Currently, ActiveMath can realize PDF output formats 

that are well-suited for printing as well as HTML output format augmented by 
MATHML-presentation for mathematical symbols that is well-suited for browser 
presentation output. 

Learning-Effective Features in ActiveMath. ActiveMath offers several 
other features that are known to improve learning. In particular, it has a generic 
mechanism for integrating service systems/tools for active and exploratory learn- 
ing, such as computer algebra systems or tools for formal software development. 

A dictionary can be called from the material or by explicit search in the dic- 
tionary. It displays the definition of a concept and, if required, also the concepts 
and instructional items that are somehow related to that concept, e.g., examples 
illustrating the concept or exercises training the concept. 

The learner can resume studying where she left off last time. She can ma- 
nipulate (rename, delete) those (listed) materials she has studied previously. A 
notes facility enables the learner to take personal or group notes corresponding 
to items in the learning material. The user model is open and inspectable. 

ActiveMath is customisable to teacher’s and learner’s needs and easily 
configurable to pedagogical strategies and knowledge resouces. 

8 Conclusion 

In this paper we have presented the methodology, the techniques and tools of the 
MMiSS-project to support multimedia instructions in safe and secure systems. 
Summing up, the developed infrastructure allows a user 

— to develop transparencies, lecture notes, complete courses 

— to work on the board, with transparencies, interactively with tools 

— to embed mathematical formulae, programs, etc. 

— to manage e.g. English and German variants in parallel 

— to publish complete and consistent packages 
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— to (partially) re-use the transparencies of a colleague 

— to be made aware of the changes made by colleagues 

— to develop a uniform terminology among various authors, and 

— to have support for sustainable development. 



Experiences. The system has been gradually introduced, over the duration of 
the project, into the normal teaching activities of the project partners. For exam- 
ple, the two semester course TeCS (Techniques for the development of Correct 
Software) at Universitat Bremen provides a gentle introduction to formal meth- 
ods for software development. It deals with sequential as well as with reactive 
systems, using the algebraic specification language Case [2, 13, 6, 18] and the 
process algebra CSP, e.g. [22], resp. On the tool’s side, the theorem prover Is- 
abelle and the model checker FDR play central roles. Besides simple exercises 
explaining single concepts, the TeCS problem sheets also include more complex 
tasks like specifying a family game (Nine Men’s Morris) in Case; verifying a 
simple interpreter within Isabelle/HOL; modelling a file system in Case at both 
the requirements and the design level; proving the refinement relation between 
these two specifications in HOL/Case. 

Presenting TeCS using the presentational part of MMiSSI^TeX has been 
quite successful. For the author, the overhead to produce course material within 
the MMiSSCTeX format is negligable compared to other presentation systems. 
Besides the usual benefits of a computer based presentation like ‘no slide con- 
fusion’, the MMiSSIFT^X integration of tool demonstrations in the slides en- 
courages the teacher to enliven the lectures by live demonstrations on the com- 
puter. The students are fond of the readability, the consistent markup, and the 
download-friendly PDF-filesize of the slides. It should be mentioned that these 
positive results also arise from a cautious usage of computer based presenta- 
tions: about half of the course material has been taught in ‘classical style’ using 
a blackboard. A poll among the students of TeCS gave the result that this is 
an optimal mixture. 

State of the Project and Future Developments. The project has made 
good progress during its first two years. Many lectures have been converted 
to the initial DTg^X-oriented input format, with good quality output as slides in 
PDF-format. This material is now awaiting further coordination and refinement, 
as well as semantic interlinking via an ontology and using development graphs 
in the repository. The Development Manager, and other editing and authoring 
tools, have been made available in a first version. 

While the project has achieved a satisfactory, consistent state, a lot still has 
to be done: the documentation has to be improved, various bits and pieces have 
to be completed (e.g. layout and animation attributes), etc. We hope that the 
planned extension mechanisms will facilitate future developments considerably. 

MMiSSForum. As the open source model is used, teaching materials and tools 
are freely available to achieve a much wider national and international take-up. 
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To assist this, a MMiSSForum is has been set up with German, international, 
and industrial members, to evaluate the emerging curriculum and assist its de- 
velopment and distribution; you are welcome to join ([16]). The Advisory Board 
advises the project from a scientific as well as an industrial perspective, with a 
view to future applications. To go with the planned deployment at universities, 
a number of well-known German companies have already, through the various 
industrial contacts of the project partners, expressed an interest in measures for 
further in-house training. 

Support and Partners. The MMiSS project is being supported by the Ger- 
man Ministry for Research and Education, bmb-|-f, in its programme “New Media 
in Education” from 2001 to 2004. The project partners are 

— Universitat Bremen (Krieg-Briickner, Drouineaud, Eckert (now at Darm- 
stadt), Gogolla, Kreowski, Lindow, Liith, Mahnke, Mossakowski, Peleska, 
Roggenbach (now at Swansea), Russell, Schlingloff (now at HU Berlin), 
Schroder, Shi) 

— FernUniversitat (Distance Education University) Hagen (Poetzsch-Heffter 
(now at Kaiserslautern), Bealu, Kraemer, Sun, Jelitto) 

— Universitat Freiburg (Basin (now at ETH Zurich), Klaedtke, Smaus,Wolff), 
~ Ludwig-Maximilians-Universitat Miinchen (Wirsing, Kroger, Knapp, Hen- 

nicker, Meier, Zhang), 

— Universitat des Saarlandes (Hutter, Melis, Autexier, Siekmann, Stephan, 
Goguadze, Libbrecht, Ullrich). 
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Abstract. This brief essay attempts to explain some of the thinking be- 
hind the cantata Zero, Connected, Empty, composed by Ryoko Gougen, 
with words by Joseph Gougen. 

The cantata Zero, Connected, Empty was written for the banquet of the 16th 
Workshop on Algebraic Development Techniques, a conference on theoretical 
computer science, which was held in a monastery (more properly, a nunnery) on 
the island of Frauenchiemsee, in a lake in the country about an hour by train 
from Munich; it was performed there on 25 September 2002. It has 87 measures 
and takes about 8 minutes to perform. 

Artists, especially musicians, are often reluctant to “explain” their work, but 
this is an exception, because the piece was written for a very specific situation, 
and its creators are rather loquacious, though possibly obscure. The piece is a 
brief history of Western culture from the Enlightenment to the present, told in 
music and elliptical words, focusing on mathematics in a broad sense, or more 
precisely, on the philosophy of mathematics, in a sense that includes computer 
science. Its sections move from the eternal certainties and formal structures of the 
classical period, through the emotional and cultural aggression of romanticism, 
to contemporary confusions like postmodernism and computing. It is interesting 
to recall that in the medieval universities, music was taught in the mathematics 
faculty. 

It is a cantata in the loose sense that modern composers use that term, rather 
than in the traditional sense associated with Bach. It is written for voice and pi- 
ano, preferably the same musician. Though originally performed with an electric 
piano (which miraculously recovered from a last minute surgery at the banquet), 
it sounds much better on a concert grand, which allows the reverberations from 
the cluster chords to circulate and decay properly. 

The initial 8 measure Mozart-like introduction is the first theme from the first 
movement of Sonatina No. 1 for piano, by Ryoko. This leads into a 9 measure 
recitative-like vocal section, expressing the philosophy of the classical period, ex- 
emplified by thinkers like Newton and Leibniz. This is followed by an 8 measure 
romantic treatment of the second theme from the same Sonatina, and then by an- 
other vocal section, with words reflecting the spirit of the romantic period (which 
we take as lasting into the early 20th century), with its emphasis on conquering 
and colonizing nature, and foreign territories in general. The word “power” is 
meant in several senses, including those of physics, politics, electronics, and the 
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military. This is followed by a 9 measure counting section, featuring the natural 
numbers from 1 to 12, accompanied by a variation on the first Sonatina theme, 
using Beethovenesque chords. The music in measures 46 to 71 moves into the 
contemporary period, with more complex chords and rhythms, an accelerating 
tempo, and deconstructed quotations of familiar themes of Bach, Beethoven, and 
Mendelssohn, culminating in an explosive sequence of cluster chords. 

The final vocal section in 12 measures mainly uses modern jazz chords. Its 
first phrase is a reference to the geography of Frauenchiemsee, but also, as the 
following phrases suggest, to the buddhist philosophy of emptiness (sunyata in 
Sanskrit, mu in Japanese), which according for example to the 13th century Zen 
master Dogen Zenji [1], says that nothing has a “soul” or self-essence or ideal 
form, because everything arises together through mutual causation, i.e. through 
connectedness. The number zero gets recruited here as a symbol for the manifes- 
tation of emptiness as form. This section concludes with a brief recapitulation of 
the second Sonatina theme underneath its last 2 measures. The final 4 measures 
of the piece are an echo of emptiness, or emptiness ringing your door bell. (Some 
more general aspects of the relation between music and sunyata will probably be 
discussed in [3].) An element of non-linear coherence enters through the repeated 
reappearance of melodic and harmonic fragments in transformed guises. 

A clever person in the audience pointed out that the repeated phrase “zero, 
connected,” can be interpreted as a “generation constraint” (e.g, in the sense of 
[2], page 121) for the natural numbers; this shows how the audience can enrich 
an artist’s comprehension of a piece. 

International copyright is secured through JASRAC, the Japanese equivalent 
of the American ASGAP, but there may not be a great demand from performers, 
because the piece requires an unusual vocal range, contemporary classical piano 
skills, and the ability to the interpret with shades of contemporary free jazz, and 
even a bit of pop. 

We wish to thank Yumiko Morita, Koji Nakano, and Pei Xiang for their very 
generous help. 
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Abstract ASL+ [SST92] is a kernel specification language with higher- 
order parametrisation for programs and specifications, based on a de- 
pendently typed A-calculus. ASL-f has an institution-independent se- 
mantics, which leaves the underlying programming language and speci- 
fication logic unspecihed. To complete the definition, and in particular, 
to study the type checking problem for ASL-f, the language ASL-|-pp(^ 
was conceived. It is a modified version of ASL-I- for TPC, and institution 
based on the paradigmatic programming calculus FPC. The institution 
TPC is notable for including sharing equations inside signatures, reminis- 
cent of so-called manifest types or translucent sums in type systems for 
programming language modules [Ler94,HL94]. This allows type equali- 
ties to be propagated when composing modules. This paper introduces 
IFPC and ASL-fppQ and their type checking systems. 



1 Program Development with Institutions 

A simple setup for program development with institutions [GB92] is to consider 
programs to be syntactic expressions denoting models from an institution X, 
and specifications to be syntactic expressions denoting classes of models. More 
elaborate views are certainly possible (e.g., programming languages considered as 
institutions whose satisfaction relation is a function), but perhaps unnecessary. 

One issue that must be resolved is the relationship between identifiers in the 
syntax, and their semantic equivalents. In particular, the possibility of aliasing, 
or as it is known in the context of modular programming, sharing, should be 
considered. While a real language may already include an understanding of shar- 
ing, the usual institutional semantics of a specification language such as ASL in 
equational logic SQ or first-order logic TOC does not, simply because there is 
no way to specify sharing in algebraic signatures. For example, given 

A =det sig 

sorts s, t 
opns c: s, d : t 

end 

the equation “c=d” is ill-typed because c and d have distinct sorts; so this 
equation is not in Sen(A). However, flexible ways of parameter passing can 
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mean that the same sort can be referred to via several different identifiers, so 
there are occasions when this equation should be considered well-typed. The 
classical example is the “diamond-import” situation [Mac86], illustrated by the 
Standard ML (SML) functor heading: 

functor F (structure SI : sig type intset . . . end 
structure S2 : sig type intset . . . end 
sharing type SI. intset = S2. intset) = ... 

The parametrised program F has two parameter modules SI and S2, but requires 
that any actual parameters have identical implementations of the intset type. 
This means that when type checking the body of the functor, the given type 
equation can be assumed. In the algebraic case, sometimes we may want to 
suppose that sorts s and t denote the same set, so c = d is type-correct. 

This issue may seem simple, but propagating type equalities properly lies at 
the heart of type-theoretic explanations of programming language module sys- 
tems, an issue which researchers have worked on for well over a decade (contribu- 
tions include [HMM90,HL94,Ler95,Ler96,Jon96,Rus99]). The design of a module 
type system is affected both by the type system of the underlying language, and 
by the flexibility of the module system: higher-order, first-class and recursive 
modules have all been considered. The work reported here is a first attempt to 
design a type system for a language which has higher-order parametrisation of 
both programs and specifications. 

With an institution-based semantics, we have two ways to go: 

Ignore sharing: e.g., by extending the satisfaction relation \= to be three 
valued, so that A \= ^p & { true, false, wrong }. Then Sen(T') is extended 
to contain all formulae which could possibly have a denotation. So now 
c = d G Sen(I7), but if Ac yf Ad, then (A ^ c = d) = wrong. This is 
a bit like dynamic type checking in programming languages, and similarly 
unattractive: nonsensical sentences accidentally become meaningful. 
Handle sharing: e.g., by adding information to signatures, to maintain the 
idea of static type checking. Then Sen(T') consists only of formulae which 
have a denotation in the semantics, as usual. This approach seems desirable 
when we have languages that can be statically type-checked. 

Following the second choice, there are two ways of handling sharing: 

External sharing: resolve sharing outwith the institutional notion of signa- 
ture. For example, we could maintain a map from “external identifiers” to 
“internal names,” the latter being names in an algebraic signature. This is 
(a bit) like the 1990 SML semantics, and was suggested in the algebraic 
semantics sketched for Extended ML in [ST86]. 

Internal sharing: make sharing part of the notion of signatures in the insti- 
tution somehow. For example, to handle type sharing, signatures could be 
equipped with an equivalence relation on sorts. 

The advantage of external sharing is keeping our familiar institutions. The con- 
siderable disadvantage is that we break the institution-independent framework: 
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for example, specification building operators of ASL must be lifted to operate 
on the “external” part of algebraic signatures, and general results must be re- 
proved. (Nonetheless, this route has been followed for the semantics of CASL by 
introducing institutions with symbols [Mos99].) 

The internal sharing alternative means that we must modify the institution. 
But after that, we can apply the general institution-independent framework. We 
treat signatures as static typing environments which contain all that’s needed to 
type-check terms and formulae; Sen(A) is exactly the set of well-typed formulae 
in the abstract syntax over E. This is the route that we follow for ASL-|-pp(^ . 

ASL-|-pp(^ is an attempt to give a complete but small definition of a formal 
development framework. We start from the fixed-point calculus FPC, which 
is a prototypical expression language for higher-order functional programming. 
Then we define syntax and semantics for a programming language, specification 
language and logic, and fit these into a A-calculus used for structuring, based on 
ASL-I- [SST92,Asp95b]. The syntax and semantics of each part are put together 




LFPC, the logic for FPC, is based on higher-order logic with an axiomatisa- 
tion of the CPO order relation for the underlying fixed-point semantics of FPC. 
The final result, ASL-|-pp(^ , allows higher-order parameterisation of both pro- 
grams and specifications, as well as the specification of parametrised programs, 
as studied in the abstract setting of ASL-I- [SST92,Asp95b,Asp97]. 

In Section 2, we give the definitions of the institution !FPC. Section 3 intro- 
duces syntax and semantics for !FPC signatures and programs in context, and 
Section 4 describes the full module language ASL-|-pp(^ . Section 5 concludes. 

2 An Institution for FPC 

FPC [Plo85] is an extension of the simply-typed lambda calculus with products, 
sums, and recursive types. The expressiveness of FPC is well-known: familiar 
datatypes are built beginning from the empty type p,a.a and we can define a 
fixed point operator for each function type s —) p. 

In practice, type expressions are too cumbersome to write out, so we need 
type abbreviations. Similarly, real programming languages use definitions to 
avoid repeating functions. So to the minimal FPC calculus we add type and term 
constants (in algebraic terminology, these are the sort and operation names). 

Let TyVar and TyConst be disjoint countable sets of type variables and type 
constants. Types of FPC are given by the grammar: 
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t ::= c I a \ t —) t \ txt \ t + t \ ^a.t 

where a G TyVar and c G TyConst. Free and bound variables of a type are 
defined as usual, and a-convertible types are considered syntactically identical. 
Substitution of the type s for the type variable a in the type t is written [s/a]t. 
(Similar conventions and notation are used henceforth without note). Given a 
subset Ty C TyConst, we write ProgTypes(Ty) for the set of closed types whose 
type constants are contained in the set Ty . 

Terms of FPC are parametrised on a notion of signature, which is equipped 
with sharing equations for type constants. Let TmConst be a countable set of 
term constants. 

Definition 1. An TPC signature S is a triple {Ty^ , Sh^ , Tm^) where 
” Ty^ 'T TyConst 

— Sh^ : Ty^ Fin{ProgTypes{Ty^A 

— Tm^ : TmConst ProgTypes{Ty ) 

We let S stand variously for any component when no confusion would arise, 
and we write =s for the equality relation on ProgTypes(Ty^) defined as the 
compatible closure of equalities introduced by Sh^ (i.e., c = t for t G TJ(c)). 

The idea is that sharing equations induced by Sh^ are used during type check- 
ing. In practice, useful signatures will have unifiable equations (considering Ty^ 
as variables); we only want equalities which arise from abbreviations and aliased 
names. Having Sh^ as a partial function would suffice for our purposes, but 
defining Sh^ (c) instead as a set of equations allows signatures to be put to- 
gether easily. Checking that a finite signature is unifiable is a simple first-order 
unification problem (we do not unfold recursive types). 

Terms in FPC are given by the grammar: 

e ::= V \ x \ fun(a;:t).e | ee 
I (e,e) I fst(e) | snd(e) 

I inli_|_i(e) I inri_|_i(e) | case e of inl(a:) e or inr(x) e 
I intro^a.t(e) | elim(e) 

where v G TmConst ranges over term constants and x G TmVar ranges over a 
set of term variables. 

Terms are type-checked with the standard rules, together with a rule for 
typing term constants and a rule for using type equality: 

S{v) = t G \>-^ e : s s =s t 

G v.t G 0^ e : t 

As usual, the type checking judgement G e : t uses a context G of type 
assignments x : t giving types t G ProgTypes{S) to variables. 

Definition 2. A signature morphism a : S ^ S' is a pair {Ty'^ , Tm'^) where 
Ty"' : Ty^ Ty^ and Tm" : Dom{Tm^) Dom{Tm^ ) are functions such 
that for all c G S, t G S{c) a{c) =s' crft) and for all v G S, S{v) = t 
Tm^ {a{v)) =s! a{t). 
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A special case of signature morphism is the inclusion between a signature E and 
a richer one E' having more constants or equalities. 

Definition 3 (FPC subsignatures and inclusions). A signature E is a sub- 
signature of E' , written E C E' , if Ty^ C Ty^ , t G E(c) c =j;' t, and 
E(v) = t Tm^ (v) =s' t . If E C E' , then there is a canonical morphism 
is. S' '■ E E' , the inclusion of E in E' , comprising the evident inclusions. 

Example 1. Define three signatures by: 

E\ =det E 2 =def 

sig sig 

type c type c 

val V : (c X bool) type d 

X (c X bool) sharing d = 
end val v : d x d 

end 

Then E\ C E^ and A 3 C E 2 but E\ and A 3 are unrelated. 

If A C A' and E' C E we consider A and A' semantically equivalent. Under 
this equivalence and a similar one on signature morphisms, we get the category 
Sign'^^. We usually work with particular concrete representatives. 



A3 — def 

sig 

type c 
type d 

c X bool val V : {c X bool) X d 
end 



2.1 FPC Algebras 

FPC has a standard fixed-point semantics given using a universal domain (see 
e.g., [Gun92]). Using this we define interpretations for FPC types At |f]^ in a type 
environment l and well-typed FPC terms Af|e : in a pair of environments 

L, p. The details are routine, except to require that a A-type environment l is 
defined on both type variables and constants, and respects the sharing relation 
in A (if t G A(c) then i(c) = Al|t]^). Similarly, we call p a (G, A, i)-FPC 
environment if it maps term constants and variables to appropriate domains as 
required by G, A, and i. 

The interpretation of terms is preserved by signature change. This is the 
main part of the satisfaction condition. 

Definition 4 (Environment reducts). Let a : E ^ E' be a signature mor- 
phism. Suppose L is a E' -type environment and p is a (a{G), E' , i)-FPC envi- 
ronment. We define i\a and p\a by: 

j = / '-(o'(c)) for cGE, ^ f p{a{v)) for vG E, 

\ undefined otherwise. ^ \ undefined otherwise. 
i\„{a) = i{a) p\a{x) = p{x) 

for all c,a,v,x. It follows directly that i\a is a E-type environment and p\„ is a 
(G, A, i|ct)-FPG environment. 
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Proposition 1 (FPC meaning is preserved by signature change). Let 

a : S ^ S' he a signature morphism. Suppose l is a S' -type environment and 
p is a (a{G), S' , l)-FPC environment. Then 

- ^¥\l\„ = M{a{t)\^ and 

- M\G e : = Mla{G) cr(e) : cr(t)l^p. 

An FPC S-algebra A is now defined as a pair (lajPa) of a suitable type envi- 
ronment and term environment for an FPC signature S. We can define a model 
functor by setting Mod'^‘'(A) to be the discrete category of FPC A-algebras. 

2.2 LFPC, a Logic for FPC 

A suitable logic for FPC can be based on Gordon’s HOL logic [GM93], which 
has equality, implication, and a choice operator as primitive; other connectives 
are definable. We add FPC types and the cpo order relation C inherited from 
the fixed-point semantics, to give the types and terms of LFPC: 

T ::= t I prop | t ^ t 

h::=Az:r.h \ h{h) \ z \ h=h \ h^^h \ ez:r.h \ eCe 

where t G ProgTypes(S) and z G LogVar L) TmVar ranges over a new countable 
set LogVar of logical variables. The typing judgement G i>^ e : r is defined for 
a fixed signature S and a context of bindings z : t. 

Notice that the logical function space is distinct from the programming lan- 
guage one, and prop is distinct from any FPC type of booleans. No base type of 
individuals is necessary because FPC already includes types denoting countably 
infinite collections. Adding rules to axiomatise C gives us a higher-order logic of 
computable functions (similar to e.g., [MNOS99]). By the anti-symmetry of C, 
FPC terms are automatically embedded in the logic, since we may express e as 
ex:t. X G e f\ e G x . Because LogVar D TmVar, we can abstract over terms of 
the programming language inside the logic, but not vice-versa. 

The semantics of LFPC is given using the standard set-theoretic construc- 
tion for HOL. Each type denotes a non-empty set: prop is a two element set, 
T ^ T denotes a set of functions. The FPC type t is interpreted as the underly- 
ing set of the domain which interprets t. To define a sentence functor for !FPC, 
we set Sen'^^(A) to be the set of LFPC A-terms of type prop. The satisfac- 
tion condition is straightforward to verify, extending signature morphisms and 
Proposition 1 to terms of the logic. 

Lemma 1 (Satisfaction condition for LFPC). Let A he a S'-algehra and a : 
S ^ S' a signature morphism. Then A\a- (p iff A 

3 Syntax for Signatures, Algebras, and Renamings 

When writing parametrised programs and specifications, or using separate com- 
pilation of program parts, we have a context of declared programs and sped- 
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fications; the context corresponds to the formal parameters or module inter- 
face. Working in a context, we use signature expressions which may not them- 
selves be closed, but are closed when they are added to the context. Triples 
{Ty^ , Sh^ , Tm^) which have the same form as signatures but may not be closed 
are called pre-signatures. There is an inclusion between the signature of the con- 
text and the overall signature; if Sctx is the former, we write E^tx E to 
indicate that E is pre-signature such that E^tx ^ E^tx U E, where U is “sequen- 
tial” union of signatures. In this case, T" is a signature-in-context. An algebra-in- 
context is then given by a function / : Mod (Acta,) ^ Mod (A) which expands 
any Ac^-algebra A to a A-algebra /(A), so that f{A)\s^t^ = A (such an / is 
sometimes called a persistent constructor [ST88]). 



Definition 5 (Signature morphism in context). Given E\^E 2 such that 
Ectx Qvj El and Ectx Cy E2, a signature morphism in context Ectx between 
them is defined to be an FPC signature morphism a : E^tx U ^ Ectx U E 2 
such that 

id 



''i 



1^2 



Ectx U El 



U E 2 



(i.e., the action of a on Ectx is the identity). 

The grammar for syntactic signatures, signature morphisms, and algebras is: 
S ::= sig sdec* end 

sdec ::= type c | val v : t \ sharing c = t 
P ::= alg pdec* end 
pdec ::= type c = t \ val v : t = e 
s ::= [renam*] 
renam ::= c i-^- c | v ^ v 

Each form has a type checking judgement: 



^ctx 


0 


S' = 


A 


In Ectx, S has pre-signature A 


^ctx 


0 


P = 


A 


In Ectx, P has pre-signature A 


^ ctx 


0 


s = 


^ E ^ E' 


In Ectx, s is a renaming from A to E' 



The first two judgements are inference judgements, since the pre-signature E is 
determined by the syntactic signature S or the program P. A renaming, on the 
other hand, does not determine its source or destination signature uniquely. 

The typing rules are straightforward. They ensure that Ectx^E and Ectx^E' 
are proper signatures. The rule for adding a sharing equation is this: 

t G ProgTypes{Ectx U E) 

Ectx > sdecs E UniBable(Ectx ^ E U {c = t}) 



Ectx > sdecs sharing c = t 



E LI { c = t} 
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The third premise ensures that the new equation is consistent with the equalities 
known so far. For typable phrases, it is easy to give a semantics. 

Definition 6 (Interpretation of syntax in context). 

— \Sctx t> S £■] is the signature in context Ectx U E. 

~ \Ectx t> s E E'\ is the signature morphism in context a : 

[Ectx]E E' determined by s. 

- lEctx > P Ej is the functor fp : Mod(T'cte) -> Mod(i:cte U E) 

given by 

fp{A) = rlEctx > pdecs ^1(6^, 

where P = alg pdecs end and 7^|— ]_ is defined by induction on the deriva- 
tion of Ectx t> pdecs E, extending la and pA in an obvious way. 

4 Modular Programs and Specifications in ASL+ppQ 

ASL+pp(^ is based on the syntax for EPC of the previous sections. This syntax 
is combined using ASL-style specification building operators and a A-calculus. 
There is a single syntactic category of pre-terms: 

M ::= A | P \ S 

I impose ip on M \ derive from M by s : S 
I translate M by s \ enrich M with M 

I XX-.M.M \ MX \ nX-.M.M \ Spec{M) 

I Let X = M in M ■. M 

Variables X range over a countable set ModVar. Meta-variables SP, A, M are 
all used to range over the set of pre-terms, with the hint that SP will denote a 
specification (collections of FPC algebras), and A some arbitrary collection. 

Space precludes a complete motivation and explanation of the ASL-I- calcu- 
lus; we give only a brief overview. First, the ASL operators impose, etc, have 
their usual intentions in building specifications. The A-calculus portion consists 
of A-abstraction, application to variables, and 77-quantification for parametric 
(architectural) specifications. The Spec(— ) operator formalizes specification re- 
finement: SP' : Spec{SP) asserts that SP'^SP' . This allows parametrised speci- 
fications and programs which accept any refinement of their formal parameter, 
written XX: Spec{SP). M (semantically, Spec(— ) is understood as a powerset 
operator). Finally, the let construct allows local definitions of modules, to relieve 
the restriction on function applications. It also imposes a signature or specifi- 
cation constraint: in Let X = A in M : SP, the constraining specification SP 
may be used to hide some details of the implementation M ; in particular it must 
hide any mention of X from the result signature of 717. (This prevents exporting 
a hidden symbol; module type systems solve this problem in varying ways). 

Contexts for ASL-|-pp(^ contain declarations and definitions for module 
variables. They may also directly include specifications, to allow “pervasive” 
datatypes of the language which are visible everywhere (BOOLEAN, INTEGER, etc). 
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r ■.■={) I r,x -.A I r,x = M \ r,sp 

For type checking, we extract an FPC signature from a context F. This will 
include all of the pervasive elements, but also, any variables which stand for 
algebras will be included with their signatures, renamed using a “dot renaming” 
function to prefix identifiers with the module variable name. (We must assume 
the existence of suitable dot-renaming functions on TyVar, TmVar). Given a 
signature X, we write X.E for the dot-renamed signature. Dot notation provides 
a way for programs to refer to components of modules. The notation can only be 
used on module variables because the syntax of FPC does not include ASL-|-pp(^ 
expressions; this restricts type propagation in the higher-order case. 

4.1 Type Checking with Rough Types 

Now we come to the main novelty in the development. ASL-I- is equipped with 
two formal systems: one for proving satisfaction of a specification by a program, 
and the other for “rough” typing, which is designed to isolate the “static” type 
checking component of satisfaction. We follow the same plan in ASL-|-ppp< , 
except that rough types are improved to allow type equalities to be propagated 
from argument to result in parametrised programs. This generalisation is really 
the crux of the new system. Rough types have the syntax: 

K ::= X I ttX : A.k \ P{k) 

where X ranges over pre-signatures. A program denoting a A-algebra will have 
rough type X; a A-spedfication expression will have type P{X). The 7r-types clas- 
sify functions. The main way that sharing information is propagated is through 
equations in pre-signatures that refer to the environment (e.g., c = X.c). The 
reason that the domain A of a type ttX : A.k is a full ASL-I- term is to account 
properly for sharing propagation between successive specification and program 
parameters; retaining a full term here allows rough types to be recalculated (see 
[Asp97] for further explanation). 

There are three typing judgements: 

r =^sig Xp Xp is the underlying FPC signature of F 

F t> K < k' k is a subtype of k' 

F \> M K M has rough type k 

These judgements are defined in Figures 1-4, described in turn below. 

Underlying signature (Figure 1). This judgement also serves to say that the 
context is well- formed. The underlying FPC signature is made by combining pre- 
signatures for the pervasive parts of the context, together with the dot-renamed 
components X.X for variables X which range over A-algebras'^ . Module variables 
which have non-signature types (the rules assume «: is a non-signature) do not 
contribute to the FPC signature of the context; there is no way to use them 
directly in any FPC type or term. 

^ a sort of “flattening” operation, reminiscent of the way Java treats inner classes. 
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{) -- 


=^sig 0 




p 


— ^sig 


P > SP 


P(S) 




r,sp - 


=^sig Sr U S 




p 


=^sig 


p SP 


P{k) 




r,sp 


=^sig 




p 


— ^sig 


r t> SP 


P(S) 



r,X : SP =^sig Sr U X.r 



P =>sig Sr P 0 SP => P{k) 
P,X-.SP =^sig Sr 

P =>sig Sr P i> Af => S 
P,X = M =^sig Sr U X.r 

P =>sig Sr r t> M K 
P,X = M =^sig Sr 



Fig. 1. Underlying signature of a context 



r =>sig Sr Sr Cu E Sr Cy E' {Er U E') C^h (Er U E) 

P > E < E' 



P > Al => K P > A2 => K P, X : A2 t> Kl < K2 
P > nX : Ai.Ki < -kX : A 2 .K 2 



P t> K < k' 

P 0 P{k) < P{k') 



Fig. 2. Subtyping rules for rough types 



Subtyping rules (Figure 2). We write Si Cjf, E2 if Si C S2 but = Ty^^ 
and . In this case S2 only differs from Si in having more sharing. 

The subtyping rules lift this relation to a relation on rough types. The rule for 
TT-rough types appears as if it allows contravariancy in the domain; in fact, it 
does not because the rough types of Ai and A2 are required to be the same. 

Programs and ASL terms (Figure 3). The rules for rough typing ASL terms, 
including FPC signatures and algebras, involve some signature calculation. The 
first two rules invoke the type checking system for the core-level from Section 3. 
The rule for impose checks that is a well-typed proposition. 

The rules for derive and translate use renaming syntax, allowing some 
polymorphism. Arguments of derive from — by s : S' or of translate — by s 
can have any signature which fits suitably with s, according to the type checking 
rules for signature morphisms. The result signature of derive has to be given, 
but the result of translate is inferred, as the smallest image^ of s. In fact, the 
rule for translate can be understood as constructing a pushout by propagating 
extra sharing; relying on the natural polymorphism of the syntax for renamings 
(as opposed to a semantic signature morphism in Sign'^^), this happens auto- 
matically. The rule for derive, by contrast, is provided with an explicit target 
signature, so any sharing in SP beyond that required by S' will be disregarded. 

^ This means that translate only uses surjective signature morphisms; but we can 
express translation along inclusions translate SP by t : E ^ E' using enrich. 
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r 0 s p{s) r > p s 

r, SP =>sig S (p : prop 

P > impose ip on SP => P{^) 



Sr 0 S S 

r 0 SP P(S') P =^sig Sr Sr t> s S ^ S' 
P > derive from SP by s : S => P(-S') 

P 0 SP P{S) P =^sig Sr Sr > s S ^ s{S) 
P > translate SP by s => P{s{S)) 



P > SP P(S) P, SP t> SP' P(S') 
P > enrich SP with SP' P(r U S') 



Fig. 3. Rough typing programs and ASL terms 



The rule for enrich is similar to a rule for the dependent sum in type theory: 
just as X occurs bound in B in the term Sx:A. B, so all the symbols of SP occur 
bound in SP' in the term enrich SP with SP' . This non-symmetry in enrich 
isn’t revealed by its usual definition in terms of translate and union. The 
directly defined semantics of enrich SP with SP' also shows the dependency: 
models of the result are extensions of models of SP. 

ASL+ terms (Figure 4). First, a variable which ranges over Fl-algebras is given 
a special strengthened type. The signature E / X is defined as S with the sharing 
equations augmented, so that Sh^^^{c) = Sh^{c)U{ c = X.c}. This reflects the 
sharing of X with the context, since it denotes a projection on the X. -named part 
of the underlying environment. Strengthening was introduced by Leroy [Ler94] 
and a similar rule is present in most module type systems. 

Rules for A-abstractions and 77-abstractions are straightforward. Applica- 
tions are restricted to variables; it may be necessary to rename the bound vari- 
able of the 77-type of the function to match the operand. The application rule 
is the crucial place where type identities are propagated. Subtyping here allows 
the actual parameter to have a richer type with more sharing equations than 
the type of the formal parameter A. Propagation of the type identities occurs 
because after application any mention of X.c in the result type k' will refer to a 
variable declared in the context, possibly having more sharing equations, rather 
than the bound variable of the 77-type. 

The rule for a binding Let X = M in N : A allows TV to be typed in the 
context extended by the typing of M and checks that the type of the constraint 
A is correct. The rough type of A is typed in P, so the dependency on X must 
be removed. The notation [«:] in this rule embeds the rough type as a term of 
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r > s p{s) r > p s 

r, SP =>sig s (p : prop 

P > impose ip on SP P(S) 



Sr 0 S S 

P t> SP P{S') P =^sig Sr Sr s S ^ S' 
P > derive from SP by s : S => P{S) 

P SP P{S) P =^sig Sr Sr > s => S ^ s{S) 
P > translate SP by s => P{s{S)) 



P > SP P(S) P, SP t> SP' P(S') 
P > enrich SP with SP' P{S U S') 



Fig. 4. Rough typing ASL+ terms 



the calculus, defined by replacing S by its syntax, ttX : A.k' by II X: A. |"k'] 
and P{k)' by Spec^n'). This is simply a trick to avoid introducing a notion of 
rough-context (context with rough typing assumptions); when we project from 
the context, we get the rough type k (or a strengthened version) again. 



4.2 Brief Example 

The following example shows how type equalities are propagated. We will build 
up a context of declarations step-by-step. First 

A ELT = sig 

type elt 
end 

If the denotation of this expression is Selt, then we have the rough typing 
0 [> ELT P{Selt)- Now we declare a parametrised program for building 

lists over some N’^^T'-algebra: 

T 2 =d,f A, List = AElt : ELT . alg 

type elt = Elt . elt 
type list = //stgit 
val nil : list = . . . 
val cons : list = . . . 
end 

{listQ2_t is a type-expression in FPC which expresses the type of lists over the 
type elt; the dots are filled with appropriate terms). This has the rough typing 
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T t> List 7 TElt:ELT. Z'i/57'[Elt . elt]. The inferred signature of the alge- 
bra List is if 2,/ST [Elt . elt], where the square brackets are informal notation to 
indicate a dependency on Elt. To be more exact: this is the signature of lists ex- 
tended with the equation elt = Elt . elt. Now we may apply the List program 
to an algebra, for example: 

^3 =def T 2 ,Nat =alg 

type elt ~ nat 
end 

(where nat is an FPC type expression for natural numbers). Then Is t> Nat 
^ELT[nat] where EELT[nat] = Eelt U {elt = nat}. Now we can derive T3 > 
List Nat N't/St [Nat . elt]. Define I4 = /3,ListNat = List Nat. In 

the underlying FPC signature (such that I4 =^sig Er^), we have the equation 
ListNat.elt = nat, which means that we can apply natural number functions 
to elements of ListNat lists. 

This very simple example demonstrates propagation of type equalities for the 
application of List. To prevent it, we could define an opaque version of list: 

OpaqueList = Let L = List in L : iTElt:ELT. Eeist 

In a declaration OList = OpaqueList Nat the type identity of the OList . elt is 
unknown, so we could only pass elements of this list around. 

4.3 Results and Further Developments 

One important and non-trivial result is the decidability of rough type checking. 

Theorem 1 (Decidability). If all signatures are finite, each of the rough typ- 
ing judgements is decidable. 

Proof. (Outline). First, observe that type checking in FPC and L FPC for finite 
signatures is decidable. For a slightly different formulation of the rough typing 
system viewed as an algorithm, we can give a measure on the inputs to each 
judgement which decreases from conclusions to premises of each rule. □ 

A set-theoretic semantics for ASL-|-pp(^ is given in [Asp97] together with 
a soundness proof. It interprets each of the typing judgements given above. 
However, the interpretation function is partial: rough type checking alone can- 
not guarantee that specifications are consistent, nor that actual arguments to 
parametrised programs or specifications meet the axiomatic requirements of their 
formal parameters. 

To guarantee the well-definedness of an ASL-|-pp(^ term, we may need to 
do theorem proving. This is provided for with the satisfaction system, which 
incorporates ideas from other research into proof in structured specification. 

5 Further Work, Related Work 

The work here is mostly taken from Chapters 6 and 7 of my PhD thesis [Asp97], 
which contains additional results and full definitions. Theorem 1 is a new result. 
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The work began from the conception of adding type equations to algebraic sig- 
natures to explain sharing, an idea which occurred earlier to Tarlecki [Tar92]. 
The system here draws somewhat on later ideas of programming language re- 
searchers in investigating type systems for program modules, particularly those 
of Leroy [Ler95] and Harper and Lillibridge [HL94] . 

The most closely related and recent work in the algebraic specification com- 
munity is on cast’s architectural specifications [SMT“*'01]. This retains insti- 
tution independence, but at the expense of complexity and for a language more 
restricted than ASL-I-. 

Research is still highly active in the programming languages community in 
the quest to find more expressive type systems which are easier to understand 
and have good properties such as decidability (which failed for [HL94]). See 
e.g., [Sha98,Sha99,Jud97,Jon96,Rus99,DCH03]. Space precludes a detailed sur- 
vey, but one aspect is worthy of note: several recent systems employ single- 
ton kinds [SH00,DCH03] as an alternative to manifest types, as a way of suc- 
cinctly internalising type equalities within the type system. The original version 
of ASL-I- [SST92] in fact included a singleton construct (isolated in [Asp95a]) to 
allow a program to be turned into a trivial specification, and it was suggested 
how the dot notation could be expressed using this construct. (There are also 
connections here with the work of Cengarle [Cen94] who defined a syntax with 
an operator Sig{—) for extracting the signature of an actual parameter; her work 
is an older relative of ASL-|-pp(^ ). 

In the end, it is a challenge to balance the various requirements and give a fea- 
sible system for type checking. The solution here is not ideal and has drawbacks 
outlined in [Asp97] . Typing modules for a specification language like ASL-I- has 
different requirements to the programming case, and the system proposed here 
should be regarded only as a first attempt at a type-theoretic solution. 



Towards Edinburgh CASL 

One future venture we would like to undertake is the design and implementation 
of a CASL extension for a subset of Standard ML. While the specification con- 
structs and CASL variations have received a great deal of attention, connection 
to specific programming languages remains relatively unexplored. A significant 
exception is the work at Bremen on HasCASL [SM02] , which has parallels with 
what we want to do (and connections with work described above). We have 
early design ideas for a CASL extension called Edinburgh CASL, which is ded- 
icated to specification for a subset of Standard ML, and constructed using a 
type-theoretic approach similar approach to ASL-|-ppp< . We go beyond FPC in 
considering additional features of SML like polymorphism and pattern matching. 

Since ASL-|-pp(^ was invented, improvements to generic institutional tech- 
nology were developed which may allow a more abstract approach (for example, 
using institutions with symbols and derived signature morphisms, instead of the 
concrete sharing relation in iFPC signatures); however, these may not help with 
more advanced features such as first-class modules. And it remains important to 
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verify that abstract constructions produce the desired result in different scenar- 
ios, by experimenting with ways of adding programming languages to CASL. 
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Abstract. Pre-nets have been recently proposed as a means of providing a func- 
torial algebraic semantics to Petri nets (possibly with read arcs), overcoming 
some previously unsolved subtleties of the classical model. Here we develop a 
functorial semantics for pre-nets following a sibling classical approach based on 
an unfolding construction. Any pre-net is mapped to an acyclic branching net, 
representing its behaviour, then to a prime event structure and finally to a finitary 
prime algebraic domain. Then the algebraic and unfolding view are reconciled: 
we exploit the algebraic semantics to define a functor from the category of pre- 
nets to the category of domains that is shown to be naturally isomorphic to the 
unfolding-based functor. All the results are extended to pre-nets with read arcs. 

Introduction 

P/T Petri nets [Rei85] are one of the most widely known models of concurrency. Since 
their introduction, almost fifty years ago [Pet62], the conceptual simplicity of the model 
and its intuitive graphical presentation have attracted the interest of both theoreticians 
and practitioners. Nevertheless, the concurrent semantics of Petri nets still presents sev- 
eral aspects that cannot be considered fully encompassed. The aim of this paper is to 
point out the missing fragments of the overall picture and to fill as many gaps as possi- 
ble, providing neat mathematical constructions. 

We concentrate on the semantic interpretation arising from the so-called individual 
token philosophy (ITPh) as opposed to the collective token philosophy (CTPh). The two 
terminologies have been introduced in [GP95] to distinguish the interpretation of to- 
kens in the same place as anonymous and indistinguishable resources (CTPh), from the 
view of tokens as resources uniquely characterised by their histories and causal depen- 
dencies (ITPh). On the one hand, the CTPh, taking the paradigm of multiset rewriting 
to the extreme consequence is somehow simpler: repeated elements in a multiset are 
completely equivalent and cannot be distinguished one from the other. On the other 
hand, the CTPh is less amenable to the full variety of concurrent semantic frameworks 
that can be studied in the ITPh. Roughly these can be classified in process-oriented, 
unfolding, algebraic, and logical; 

* Research supported by the FET-GC Project IST-2001-32747 AGILE and by the MIUR Project 
COFIN 2001013518 CoMeta. The second author is also supported by an Italian CNR fellow- 
ship for research on Information Sciences and Technologies, and by the CS Department of the 
University of Illinois at Urbana-Champaign. 

M. Wirsing, D. Pattinson, and R. Hennicker (Eds.): WADT 2002, LNCS 2755, pp. 145-164, 2003. 

© Springer- Verlag Berlin Heidelberg 2003 



146 



P. Baldan, R. Bruni, and U. Montanari 



- The process approach focuses on non-sequential / concurrent models of compu- 
tations and on their composition. Several notions of (deterministic) process have 
been proposed that rely on different abstractions in modelling resources, executed 
events and concurrent computations [BD87,GR83,DMM96,Sas98]. 

- The unfolding approach is built on top of nondeterministic processes to account for 
a broader view of computations, which includes concurrency, causality and con- 
flict. Starting from the seminal work of Winskel [Win87], which focuses on the 
simpler class of safe nets, several authors have contributed to the generalisation of 
the approach to the full class of P/T Petri nets [MMS92,MMS97a,MMS96], show- 
ing that a chain of adjunctions (coreflections in the case of safe or semi-weighted 
nets) leads from PTNets to PES, for PTNets the category of P/T Petri nets and PES 
the category of prime event structures, which is equivalent to the category Dom of 
coherent finitary prime algebraic domains (for this reason, the unfolding approach 
is sometimes referred to as a denotational semantics). 

- The algebraic approach, originally proposed in [MM90] for the CTPh under the 
statement “Petri nets are monoid”, recasts the process approach in universal alge- 
bras: The idea is to characterise the concurrent model of computation as the initial 
model in a suitable algebra of decorated computations. 

- The logical view tries to recast the algebraic approach into deduction theories, 
whose sentences denote concurrent execution strategies and whose theorems se- 
lect admissible computations [BMMSOl]. 

Category theory has been shown instrumental in all the above approaches: processes 
come naturally equipped with notion of a parallel and a sequential composition, which 
provides the structure of a monoidal category, adjunctions and coreflections are cate- 
gorical notion used in the unfolding semantics to guarantee that all constructions are 
as good as possible; P/T Petri nets are essentially graphs with structured nodes, and, as 
such, can be naturally equipped with structure-preserving homomorphism, which can 
also be seen as simulation morphisms; initiality in the algebraic semantics is again a 
categorical notion for selecting the best candidate model; finally, the logical view ex- 
ploits the fact that adjunctions between the categories of models of two theories, like 
the theory of Petri nets and the theory of concurrent models, can be more conveniently 
expressed as theory morphisms (whose existence is easier to prove). 

When categories are involved, a central property of the semantic constructions, wit- 
nessing their appropriateness, is functoriality, i.e., the fact that simulation morphisms 
between nets are preserved at the level of computational, algebraic, logical and deno- 
tational models. A second crucial property is universality, in the sense of constructions 
expressed as adjunctions. In fact, we remind that when functors are left/right adjoints 
they preserve colimits/limits yielding good compositionality properties. 

For the ITPh the unfolding approach is completely stable and satisfactory. Instead, 
the application of the algebraic approach to the ITPh presents several problems basically 
related to the fact that the monoidal operation on computations is commutative only 
up to a symmetry natural isomorphism. As a consequence, the construction proposed 
in [DMM96] fails to preserves some ordinary simulation morphisms between nets. The 
situation is improved in [MMS97b] up to a pseudo-functorial construction [Sas98]. 
Correspondingly, different notions of deterministic processes, which differ just in the 
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decoration of minimal and maximal places have been proposed as “concrete” models. 
The lack of functoriality has also discouraged the formulation of a logical semantics. 

The problem intuitively resides in the dichotomy between the multiset view of a 
state and the need of distinguishing uniquely its elements to track their causal history. 
A relevant advance of the theory has been the introduction of pre-nets [BMMS99] (see 
also [BMMSOl] for an extensive discussion), a variant of ordinary nets where a to- 
tal ordering is imposed on the places occurring in the pre- and post-set of transitions. 
Any pre-net can be seen as a concrete “implementation” of the Petri net obtained by 
forgetting about the ordering of places in pre- and post-sets. Using strings rather than 
multisets allows to uniquely characterise each element by its position. Thus pre-nets 
allow to obtain a satisfactory algebraic treatment, where the construction of the model 
of computation yields an adjunction between the category of pre-nets and the category 
of models (symmetric monoidal categories [Mac71]) and it can be expressed as a theory 
morphism, accounting for the algebraic and logical views. Notably, the construction of 
the model of computation for all pre-nets implementing the same Petri net yields the 
same result, hence we can define the semantics of a net as the algebraic semantics of 
any of its pre-net implementations. Still the picture is incomplete, since some classical 
approaches to the semantics of Petri nets have not been yet explored for pre-nets. 

In this paper we complete the theory of pre-nets by showing that: 

- Concrete notions of deterministic occurrence pre-nets and of pre-net processes can 
be defined in analogy with Petri nets. Finite processes form a symmetric monoidal 
category which turns out to be isomorphic via a symmetric monoidal functor to the 
algebraic model of computation, thus reconciling the process and algebraic view 
in a fully functorial construction (a result not possible for Petri nets). Moreover, a 
graphical presentation is introduced for pre-net processes. 

- A domain semantics for pre-nets can be defined by generalising a construction 
proposed for ordinary nets in [MMS96]. Given a pre-net R, the comma category 
(m I Z{R)), where u is the initial state of R and Z{R) its algebraic model, is a pre- 
order whose ideal completion is a prime algebraic domain. Roughly this domain 
consists of the set of deterministic processes of the net, endowed with a kind of 
prefix ordering. 

- An unfolding semantics can be defined which associates to any pre-net, first an 
acyclic pre-net representing all its possible computations in a single branching 
structure, then an event structure and finally a prime algebraic domain. 

- Since the unfolding is essentially a nondeterministic process that completely de- 
scribes the behaviour of a pre-net, a clear link between the unfolding and the alge- 
braic approach is called for. The result showing that the domain originating from 
the algebraic model of computation and the one extracted from the unfolding are 
isomorphic, can now be stated in a satisfactory categorical framework: the two con- 
structions can be expressed as naturally isomorphic functors (while the analogous 
result for ordinary Petri nets [MMS96] holds only at the level of objects). 

- Finally, the pre-net and Petri net framework are reconciled by explaining how the 
domain semantics of a net and of its pre-net implementations are related. 

We remark that, although in the case of pre-nets all the construction are functorial, 
one link is still missing, because the functor that abstracts the unfolding of a pre-net 



148 



P. Baldan, R. Bruni, and U. Montanari 



to a prime event structure is not characterised as a universal construction. Whether the 
mentioned construction can he defined as a right adjoint or not is a non-trivial question. 
We strongly conjecture that the answer is negative, but this is left as an open problem. 

Along the years, Petri nets have been generalised in several ways to increase their 
expressivity. In the last part of the paper we focus on a mild but significant extension, 
i.e., the addition of read arcs, which allows to provide a faithful representation of read- 
only accesses to resources. Nets with read arcs, called contextual nets in [MR95], have 
been used to model a variety of applications and phenomena, such as transaction seri- 
alizability in databases [DFMR94], concurrent constraint programming [MR94], asyn- 
chronous systems [Vog97], and analysis of cryptographic protocols [CWOl]. 

Pre-nets have been already shown to be useful to define a neat algebraic semantics 
for contextual nets [BMMS02]. Here, relying on some previous work on the different 
semantic approaches for nets with read arcs, we discuss how the whole theory developed 
in this paper for ordinary pre-nets generalises in the presence of read arcs. 

Synopsis. The rest of the paper is structured as follows. Section 1 reviews the basics 
of pre-nets and their algebraic semantics. Section 2 defines a process semantics for 
pre-nets and compares it to the algebraic semantics. Section 3 develops the unfolding 
semantics of pre-nets. Section 5 extends our results to nets with read arcs. Finally, Sec- 
tion 6 summarises the results in the paper and some open questions. We assume that the 
reader has some familiarity with P/T Petri net theory and category theory. 



1 Pre-nets and Their Algebraic Semantics 

In this section we recall the basics of pre-nets [BMMS99,BMMS01], discussing their 
algebraic semantics and the relation with ordinary P/T Petri nets. 

Notation. Given a set X, we denote by A® the free monoid over X (finite strings of 
elements of X) with the empty string e as the unit, and by A® the free commutative 
monoid over A (finite multisets over A) with unit the empty set 0. We write p : A®^A® 
for the function mapping any string to the underlying multiset. Furthermore, given a 
function f : X ^ Y® we denote by /® ; A® — > F® its obvious monoidal extension. 
Similarly, given g : A — > F® we denote by g® : A® — > F® its commutative monoidal 
extension. Given u G A® or m G A® we denote by [m] the underlying subset of A defined 
in the obvious way. When set relations are used over string and multisets, we implicitly 
refer to the underlying set. E.g., for m, v G A® (or A®) by x G m we mean x G [m] and 
similarly m n v means [m] n [v] . 

Recall that a P/T Petri net is a tuple N = (30,31,5, T), where 5 is a set of places, 
r is a set of transitions, and 3o,3i : T ^5® are functions assigning multisets called 
source and target, respectively, to each transition. A marked net is a pair {N, m) where 
A is a P/T Petri net and m G 5®. A Petri net morphism f = (/s,/t) : A — > N' is a pair 
where S'® is a monoid homomorphism, and /t : T ^ T' is a function such that 

3' o/t = /s o3;, for any t GT and i G {0, !}■ The category of P/T Petri nets (as objects) 
and Petri net morphisms (as arrows) is denoted by Petri. A morphism of marked P/T 
nets/: (A,m) — *■ {N',m') is subject to the additional requirement of preservation of the 



Pre-nets, Read Arcs and Unfolding: A Functorial Presentation 



149 



a 



b a 
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Fig. 1. The P/T Petri net Aq and (one of) its pre-net implementation Rq. 



initial marking, i.e., /s(«r) = m' . The category of marked P/T Petri nets (as objects) and 
marked Petri net morphisms (as arrows) is denoted by Petri* . 

A pre-net is roughly a Petri net where the resources (tokens in places) are linearly 
ordered. In other words, the state as well as the pre- and post-conditions of transitions 
are strings rather than multisets of places. 

Definition 1 (pre-net). A pre-net is a tuple R= where S is a ieto/ places, 

T A a o/ transitions, and '-T are functions assigning, respectively, source 

and target to transitions. A marked pre-net is a pair {R, u) with R a pre-net and u € 5®. 

The pictorial representation of Petri nets has certainly played an important role in 
their large diffusion as a specification framework. This graphical presentation (places 
represented as circles, transition as boxes, pre- and post-set multirelation as weighted 
arcs, tokens as black bullets) can be extended to pre-nets by adopting the following 
conventions: (1) weighted arcs are replaced by arcs labelled with the ordered list of 
positions in which the place appears in the pre- / post-set of the transition, with lists 
of length greater than one enclosed in curly brackets; (2) tokens are represented as 
numbers denoting their positions in the current state. An example of pre-net Rq can 
be found in the right part of Fig. 1. It will be used throughout the paper to illustrate 
definitions and concepts. From the inscription { 1 , 3} of the arc from a to fo, we see that a 
firing of to requires two tokens from a, to be taken as first and third consumed resources, 
while the second token to be consumed by to must be taken from c, as imposed by the 
inscription 2 of the arc from c to to (we remark that 2 denotes a position, not the number 
of tokens to be consumed). Moreover, from the inscriptions inside the circles for a, b 
and c, we note that the initial marking of Ro is the string u = abca, i.e., that the a occurs 
in the first and fourth positions of u, b in the second, and c in the third. 

As for P/T Petri nets, the notion of pre-net morphism naturally arises from an alge- 
braic view, where places and transitions play the role of sorts and operators. 

Definition 2 (pre-net morphism). A pre-net morphism from R = (Co, Cl j to R' = 
(C(),Cl,5'^7’0 ts a pair f = (/s,/t) where fs'.S^->- S'^ is a monoid homomorphism, 
and fi : T ^ T' is a function such that C; ° /t = /s ° Co faf i G {0, 1}. We denote by 
PreNet the category of pre-nets and their morphisms with the obvious composition. 
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A marked pre-net morphism from {R, u) to {R' ,u') is a pre-net morphism f : R-^ R' 
such that fs{u) = u' . Wfe denote by PreNet* the category of marked pre-nets and their 
morphisms with the obvious composition. 

Pre-nets can be seen as a specification formalism (slightly) more concrete than Petri 
nets. In particular any pre-net R can be thought of as an “implementation” of the Petri 
net which is obtained from R replacing any string by the corresponding multiset. This 
construction is formalised below. 

Definition 3. The functor A : PreNet — > Petri is defined as follows: 

- any pre-net R = fCja,^\_,S,T) is mapped to A{R) = (3o,3i,5, T), where 3,(f) = 
pfC^if)) for each t €T and i G {0, 1}; 

- any pre-net morphism f : R R' is mapped to A{f) = {gf,f), where gs{s) = 
p{fs{s)) for each s G S. 

VTe denote by : PreNet* — > Petri* the obvious extension of A to marked nets. 

For instance, referring to Fig. 1, the ordinary Petri net Nq in the left part is implemented 
by Rq,, i.e., we have ^(/?o) = Nq. The transition to : 2a0c — > c(Bd G No is implemented 
as to : aca cdG Ro, and t\ \ b(Bc ^ c(Be G No asti \bc^ecG Ro. Clearly alternative 
implementations would have been possible exploiting different linearizations. 

Intuitively, a computation of a pre-net consists of “explicit” steps, namely firings 
of transitions which consume and produce resources, and of “implicit” steps which 
rearrange the order of the resources to allow the application of transitions. All the se- 
quences of implicit steps that implement the same permutation of a given state are 
indistinguishable. Formally, the model of computation of a pre-net is the free symmet- 
ric strict monoidal category generated by the pre-net, the symmetries playing the role 
of the above mentioned implicit steps. Let SSMC be the category of symmetric strict 
monoidal categories (as objects) and symmetric monoidal functors (as arrows), and let 
SSMC® denote the full subcategory containing only the categories whose monoid of 
objects is freely generated. Then the algebraic model of computation of a pre-net R is 
its image Z{R) through Z : PreNet — > SSMC®, the left adjoint to the obvious forgetful 
functor from SSMC® to PreNet. A more illustrative definition is given below. 

Definition 4. Given a pre-net R = T), the model of computation Z(R) is a 

symmetric monoidal category whose objects are the elements of S® and whose arrows 
are generated by the rules in Fig. 2, quotiented out by the axioms of monoidal categories 
and the coherence axioms making J_ _ the symmetry natural isomorphism ( all axioms 
are collected in Fig. 3 ). 

Recall that a pointed category is a pair (C, Oc), where C is a category and Oq is an 
object in C. A pointed functor F : (C, Oc) — ^ (D, Cd) is a functor C : C ^ D such that 
F{Oc) = Cd. The construction of the model of computation extends to marked pre-nets 
and to the category SSMCf of pointed strictly symmetric monoidal categories. 

Definitions. Given a marked pre-net {R,u), the model of computation Z^.{{R,u)) is 
the pointed category {Z{R),u). 
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ueS^ 

idi, \ u ^ u ^ Z{R) 



u,v e 5® 

Yh.v :uv ^vue Z{R) 



teT ^o{t) = u ^i{t)=v 
t : V (z Z{R) 



a : M — > V, a' : m' ^ v' G Z{R) 

a® a' :uu' ^ W e Z{R) 



a:M— >v, P:v— >w£ Z{R) 
Ct; p : n — > w G Z(^R) 



Fig. 2. Inference rules for Z{R). 



For any n, v, w G 5® and 

for any a : m — > v,p : v — > w,5 : w z,o! : u' v',p' : v' ^ w',a" : u" v" G Z{R)'. 



UNIT: 

ASSOCIATIVITY: 

IDENTITIES: 

FUNCTORIALITY: 

NATURALITY: 

COHERENCE: 



id^®OL = a = a® id^, 

(a® a')® a" = a® (a'® a") 
a; idy = a = idu', a 
(a;P)® (a';p') = (a®a');(p® P') 
(a®a');Yvy =Y«, «';(«'»«) 
yu.vw — (y«,v ® (i^v ® y«,w) 



(a;p);8 = a;(p;5) 

idii ® idy — idiiy 



ywjv.yvju — i^uv 



Fig. 3. Axioms for Z{R). 



Notice that Z* extends to a left adjoint functor from PreNet* to SSMCf . 

Given a pre-net R and two states u,v G S‘^ we say that v is reachable from u if there 
is an arrow a : m — > v in Z{R). If {R,u) is a marked pre-net we say that v is reachable 
if it is reachable from u. One can easily see that v is reachable in {R,u) if and only 
if p(v) is reachable in More generally, given any P/T net N, all its pre- 

net implementations have essentially the same behaviour, in the sense that they have 
isomorphic models of computation. Hence the semantics of N can be recovered by an 
arbitrarily chosen pre-net implementation. 

Theorem 1. For any pair of pre-nets R and R' , if FL{R) ~FL(R'} then Z{R) ~ ZfR') via 
a symmetric monoidal functor. 

Moreover, the category Z{R) can be quotiented out by suitable axioms to recover 
all the algebraic computational models of FL{R) in the literature (e.g. concatenable pro- 
cesses, commutative processes). Analogous results holds also in the marked case. 



2 Concatenable Processes for Pre-nets 

In this section we introduce a notion of (concatenable) process for pre-nets. A process 
is intended to provide a static representation of a concurrent computation, which makes 
explicit the events occurring in the computation and their causal dependencies. The 
appropriateness of our notion of pre-net process will be formalised by showing that 
for any pre-net the category of concatenable processes is isomorphic to its model of 
computation via a symmetric monoidal functor. 



152 



P. Baldan, R. Bruni, and U. Montanari 



2.1 Safe and Occurrence Pre-nets 

Let 1? be a pre-net. A state m € 5® is called safe if any place occurs at most once in m, 
i.e., if jj{u) is a safe marking. A marked pre-net is called safe if the source and target of 
all transitions as well as all the reachable states are safe. 

Definition 6 (causality, conflict, concurrency). Let R= (1 ^qXi,S,T) be a pre-net. The 
causality relation is the least transitive relation <flC (SUT) x (SU T) such that 

(i) if s € ^o(f) then s <r t; (ii) if s € Cl (^) then t <r s. 

Given a place or transition x G SUT, we denote by [jcJ the set of causes of x in T, 
defined as \ x\ = {t GT \ t <r x} C T, where <r is the reflexive closure of <r. 

The conflict relation #r^ (SUT) x (SUT) is defined as the least relation such that 

( i) if^o{t) n Co(tO 7^ ® then t#Rt' ; ( ii) if x#rx' and x' <r x" then x#rx" . 

A set of places X C S is concurrent, written co(X) if for any s,s' G X neither s < s' 
nor s#s' , and\}^^x\jt\ is finite. 

Definition 7 (occurrence pre-net). An occurrence pre-net is a safe pre-net R such that 

( i ) causality <r is a partial order and, for any transition t, the set of causes [f J is finite; 

(ii) there are no backward conflicts, i.e., for any t t' , Ci(0 LCi(tO = ®>’ (tti) conflict 
#R is irreflexive. An occurrence pre-net is deterministic if it has no forward conflicts, 
i.e., for any t ^ t' , Co(?) H Co(f') = ®- 

We denote by PreOcc* the full subcategory of PreNet* whose objects are occur- 
rence pre-nets. 

It is immediate to verify that the relations of causality and conflict in a pre-net R are 
the same as in the implemented Petri net Tl{R). Hence is a safe (occurrence) pre-net 
if and only if the corresponding Petri net R{R) is a safe (occurrence) net. This implies 
that restricts to a well-defined functor from PreOcc* to Occ*, the full subcategory 
of Petri* where objects are occurrence nets. 

2.2 Processes of a Pre-net 

An interesting feature of Petri nets is the fact that a net process can still be represented 
as a special Petri net (decorated with a morphism to the original net) [GR83]. This is 
true also for pre-nets. 

Let us call a pre-net morphism f : R R' elementary if for any s G S, fs{s) G S' 
(places are sent to single places rather than to strings). 

Definitions (process). Let R = pre-net. A process of R is an ele- 

mentary pre-net morphism n : O R where O is an occurrence pre-net and for any 
t,t' G To, if ft{t) = ft{t') and Co(?) = Co(?0 t = t' (irredundancy). 

The process n is finite / deterministic if the underlying occurrence pre-net O is finite 
/deterministic. For a finite deterministic process n we denote by min(7t) ( resp., max(jt) ) 
the set of places of O which are minimal (resp., maximal) w.r.t. <q. 
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A concatenable process of a pre-net is a deterministic finite process of the net with 
explicit source and target states, i.e., with a total ordering in the minimal and maximal 
places of the underlying occurrence pre-net. 

Definition 9 (concatenable process). A concatenable process of a pre-net R is a triple 
5 = (o,7t,x), where n is a deterministic finite process of R and G,X G Sq are string of 
places in So such that 

p{a) = min(7t) and p{x) = max(jt). 

Wfe denote by ^o(5) the string nf (o) and by (5) the string nf (t). 

An isomorphism of (concatenable) processes 5 and 5' is an isomorphism of the under- 
lying pre-nets consistent with the mapping to the original pre-net and with the lineariza- 
tions of minimal and maximal places. The isomorphism class of a concatenable process 
5 is written [5] and called an abstract concatenable process. 

Concatenable processes 5 = (a,7t,x) of pre-nets can be graphically represented by 
slightly adjusting the visual modelling of ordinary Petri processes: (1) places (and tran- 
sitions) are labelled by their images through Jt, (2) minimal and (resp. maximal) places 
carry also as superscript (resp., subscript) their position in o (resp., x); (3) arcs are la- 
belled by the (unique) position in which the place appears in the pre- and post-set of the 
transition (again, we remark that arc labels stand for positions, not for weights). 

In Fig. 4 some simple processes are illustrated (for our running example Rq) that 
correspond to single transitions, place identities and permutations. 

Given two concatenable processes 5i = (oi ,7ti,Ti) and 82 = (ct2,7t2,T2), such that 
Ci(5i) = ^0(82) their concatenation is defined as the process obtained by gluing the 
maximal places of 7ii and the minimal places of 7t2 according to their orderings. 

Definition 10 (sequential composition). Let 5i = (oi,Jti,Ti) and 82 = (o2,it2,X2) be 
concatenable processes of a pre-net R such that (5i) = Co(52)- Suppose 7j n ?2 = 0 
and SiHS2 =max(jti) =min(7t2), withx\ =02. In other words bi and 82 overlap only 
on max(7ii ) = min(jt2), and such places carry the same ordering in the interfaces Ti and 
02- Then their sequential composition h\',?>2 is the concatenable process ?> — (ai, 71,12). 
where the process n is the (componentwise) union of TZ\ and 712. 

The above construction induces a well-defined operation of sequential composition 
between abstract concatenable processes. In particular, if [5i] and [82] are abstract con- 
catenable processes such that Ci(5i) = ^0(82) then we can always find 82 S [82] such 
that 81; 82 is defined. Moreover the result of the composition seen at abstract level, 
namely [buby, does not depend on the particular choice of the representatives. 

Definition 11. We denote by ‘PIP{R) the category having the elements ofS’^ as objects 
and abstract concatenable processes of R as arrows, with obvious composition as in 
Definition 1 0 and obvious identities. 

The category ‘PL’{R) is a symmetric strict monoidal category. In fact (I) parallel 
composition 0 is readily defined for processes 81 = (Oi,7ti,Ti) and 82 = (ct2,it2,T2) 
such that Ti n 72 = n ^2 = 0, as 81 0 82 = (0i02,7t,TiT2), where 7t is the compo- 
nentwise union of 7ti and 712; (2) parallel composition induces a well-defined tensor 
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Fig. 4. Textual and graphical representation of simple pre-net processes. 
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Fig. 5. Tensor product of simple processes. 



product between abstract concatenable processes; (3) the tensor product is associative 
(but not commutative!) and it has the empty process (e, Jt0,8) as unit; (4) the component 
Ju,v of the symmetry natural isomorphism is defined by the abstract class of processes 
(a„Oy, 71, OvOu) with no transitions and such that 7t®(a„) = u and 7t®(Ov) = v. 

In Fig. 5 the processes of Fig. 4 are composed via tensor products in the larger 
processes p\ : abca — *■ acab, p 2 '■ acab — *■ cdb and p^ : bed ecd. Finally, in Fig. 6, the 
processes illustrated so far are composed sequentially in p4 ; abca cdb, p$ : cdb 
ecd and p : abca — *■ ecd. 

The next theorem shows that pre-net processes provide an appropriate description 
of the concurrent computations of a pre-net R, in the sense that concatenable pre-net 
processes can be seen as concrete representatives of the arrows in Z{R). 

Theorem 2. The category T’T{R) is isomorphic to the model of computation Z{R) via 
a symmetric monoidal functor. 

The theorem above is proved by observing that, being tPtP(R) a symmetric monoidal 
category, a functor from F : Z{R) tPtP{R) can be easily defined by mapping genera- 
tors to generators. A functor in the converse direction, is defined by identifying a normal 
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Fig. 6. Sequential composition of processes. 



form for the processes in lPiP(/?) which, roughly, corresponds to a maximally concur- 
rent computation. As a technical remark, the proof is much simpler w.r.t. analogous ones 
for (concatenable, strongly concatenable) process categories associated to Petri nets, as 
we can (arbitrarily) fix the normal form expression in such a way that all isomorphic 
processes have exactly the same normal form (whereas in Petri nets the normal form 
can be fixed only up-to isomorphism). 



3 Unfolding of Pre-nets 

A deterministic process describes a single deterministic computation of the net. The 
unfolding approach, originally devised in [NPW81], associates to a system a single 
denotational structure representing, in an unambiguous way, all the events occurring 
in any possible computation and their dependencies. This structure expresses not only 
the causal ordering between the events, but also gives an explicit representation of the 
branching (choice) points of the computations. 

In this section we develop a functorial unfolding semantics for pre-nets, discussing 
the difficulties which arise in trying to express this functor as a universal construction. 

3.1 Unfolding Construction 

Given a marked pre-net {R, u) the unfolding construction unwinds R into an occurrence 
pre-net, starting from the initial state u, firing transitions in all possible way and record- 
ing the corresponding occurrences. 
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1 < i < |m| 

u'i = {td,ui,i) e S' ris(«/)=“i 



V e 5'® safe co([v]) teT r|®(v) = ^o(^) 
t' = {v,t)er Mi') = t t;'o{t') = v 



t'={vj)eT' ^i(f) =VVl...M'„ 



w' = e S' B,(w;.) = w,- Cl in = w'l . . . < 



Fig. 7. Inference rules for the unfolding Up{{R,u)) of a pre-net R. 



Definition 12 (unfolding). Let {R, u) be a marked pre-net. The unfolding ‘Up{{R, u)) = 
((^Q,Ci,5'',r'),M') and the folding morphism = (rii,r|i) ; Up{R) R are the oc- 
currence pre-net and ( elementary) pre-net morphism inductively defined by the rules in 
Fig. 7, with u' = (0,Mi, 1) . . . (0,M|„j, |m|) (where ui denotes the ith element of the string 
u, and |m| is the length of u). 

Observe that items in the unfolding are enriched with their causal histories. Any 
place s' = (x,Wif) records its generator x (x is empty when the place is in the initial 
state, otherwise x is a singleton), the place Wi in the original pre-net and a number i 
which allow to distinguish multiple occurrences of tokens in the same place, having the 
same history. Any transition t' = (v, t) represents a firing of t that consumes the string 
of resources v. 

The unfolding of our running example Rq, with initial state abca, is depicted in 
Fig. 8. The morphism rjfig : ‘Up({Ro,abca)) Rq is implicitly represented by labelling 
each place and transition x with its image Tlfio(-^)- Po*" some items in the unfolding also 
the concrete identity is provided. For instance, a i = (0, a, 4) represents the occurrence of 
a in the fourth position of the initial marking, tg = { 040^01 , to) represent an occurrence 
of to, which fires using the fourth, third and second resource in the initial state. 

The unfolding construction can be characterised as a universal construction estab- 
lishing a coreflection between the categories PreOcc* and PreNet* 

Theorem 3. The unfolding construction induces a functor Up : PreNet* — > PreOcc*, 
right adjoint to the inclusion Ip : PreOcc* — > PreNet*, with counit r\: Ip o Up — > 1. 

3.2 Event Structure and Domain Semantics 

The unfolding semantics for a pre-net can be naturally abstracted to a prime event struc- 
ture semantics. Prime event structures (PES) are a simple event based model of (concur- 
rent) computations in which events are considered as atomic and instantaneous steps, 
which can appear only once in a computation. An event can occur only after some other 
events (its causes) have taken place and the execution of an event can inhibit the execu- 
tion of other events. This is formalised via two binary relations: causality, modelled by 
a partial order relation, and conflict, modelled by a symmetric and irreflexive relation, 
hereditary w.r.t. causality. 

Definition 13 (prime event structures). A prime event structure (pes) is a tuple P = 
(£,<,#), where E is a set of events and <, # are binary relations on E called causality 
and conflict, respectively, such that: 
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= 1) fl4=(0,<3,4) 



C3 = (0,c,3) b2 = {Q,b,2) 




Fig. 8. The unfolding of (Rci,abca). 



1. the relation < is a partial order and [ej = {e' £ E : e' < e} is finite for all e € E; 

2. the relation # is irreflexive, symmetric and hereditary with respect to <, i.e., e#e' 

and e' < implies e#e" for all e,e' ,e” € E; 

LetPo = {Eo,<o,#o) and Pi = (£i, <i,#i) be two PES ’s. A PES-morphism/ : Pq — > 
Pi is a partial function f \ Eq ^ E\ such that for all eo,e'o € Eq, assuming that f{eo) 
and /(cq) are defined: 

1. [f{eo)\^f{[eo\); 

2. (a) f{ef) = f{e'ff) A eof^e'^ => eo#oeo-' (b) f{eo)#if{eo) => eo#oe'o; 

The category of prime event structures and PES-morphisms is denoted by PES. 

Given an occurrence pre-net the corresponding PES can be obtained by forgetting 
about the places, keeping the transitions and the dependency relations among them. 
The transformation is functorial since the transition component of a morphism between 
occurrence pre-nets satishes the requirements to be a PES-morphism between the un- 
derlying PES’s. 

Definition 14 (from occurrence pre-nets to PES’s). Let “Ep : PreOcc* ^ PES be the 

functor defined on objects by Ep{R) = {T, <r,#r) for any occurrence pre-net R and on 
arrows by Ep{f) = ft for each occurrence pre-net morphism f : Rq —t Ri. 

Winskel in his seminal work [Win87] shows that PES’s are intimately connected 
with another classical semantical model, i.e., prime algebraic, finitely coherent, finitary 
partial orders, hereafter referred to simply as domains [Ber78]. Formally, an equiva- 
lence is established between the category PES of prime event structures and the cate- 
gory Dom of domains and additive, stable, immediate precedence-preserving functions: 
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h -) g 

PreNet* ^ ^ ^ PreOcc» ^ PES ^ ^ ^ Dom 

Up •Ep L 

Fig. 9. Denotational semantics of pre-nets. 



g 

PES ^ ~ ^ Dom 

The functor L associates to each PES the domain of its configurations, while the functor 
IP maps each domain to a PES having its prime elements as events. Relying on this 
classical result, the PES semantics defined in this section for pre-nets can be equivalently 
interpreted as a domain semantics. The situation is summarised in Fig. 9. 

Interestingly, a clear relation can be established between the functorial domain 
semantics of a Petri net N as defined in [MMS96] and the domain semantics of its 
pre-net implementations defined here. Recall that, generalising Winskel’s work on safe 
nets [Win87], the semantics for ordinary P/T Petri nets in [MMS96] is given as a chain 
of adjunctions from the category of nets to the category of domains. The diagram below 
summarises these results. 



PTNets 



Safe* 



* X , DecOcc* 


Ud 








h 


25 






A 


X Occ 





PES 



u 



T 

^ ^ Dom 

L 



The domain associated to a Petri net by the above construction can be obtained from 
that of any of its pre-net implementations by equating all the events which correspond 
to occurrences of the same transition with different linearizations of the same resources 
(which may differ for the order of tokens in the same place). Formally this is expressed 
as a natural transformation between the two semantics: 

Theorem 4. There is a natural transformation q: Lo TpO Up ^ Lo To o ‘Ifio Tl. 

As a consequence (as it happens for the algebraic models of computation) the domains 
associated to the pre-net implementations of a given net are all isomorphic, i.e., for all 
R, R', ifR{R) ~ Jl(R') then LoTpO Up{R) ^ LoTpO Up(R'). 

Unfortunately, in the case of pre-nets finding a left adjoint for the functor Tp appears 
to be quite problematic. Intuitively, the left adjoint should freely generate an occurrence 
pre-net from any PES in a way which guarantees the existence and uniqueness of a 
representation of PES-morphisms in PreOcc*. Places could be freely generated as for 
ordinary Petri nets, but then it would be impossible to fix a linear order on the pre- and 
post-sets of transitions in a “universal” way. Our conjecture is that Tp is not a right 
adjoint functor. 

An idea which seems promising in view of a universal characterisation of the men- 
tioned construction is to abandon the purely algebraic view of pre-nets, considering an 
alternative notion of pre-net morphism, based on a weaker condition which requires 
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the preservation of pre- and post-sets of transitions only up to a permutation. The 
permutation should be explicitly mentioned in the morphism itself, i.e., a morphism 
f : R ^ R' would be enriched with a family of permutations {co®,co/},(=7’ such that 
— > C;(/t(f)) for any transition t in R. 



4 Reconciling the Unfolding and Algebraic Semantics of Pre-nets 

The unfolding of a marked pre-net can be seen as a maximal nondeterministic pro- 
cess, representing all its possible computations. Hence it is natural to expect that a 
tight relationship can be established between the unfolding and the algebraic / process 
approach. In this section we show that the domain produced through the unfolding con- 
struction can be obtained, equivalently, by means of a functorial construction based 
on the model of computation. The correspondence holds at categorical level, namely 
the functor Lo'EpO Up (see Fig. 9) and the new functor based on the algebraic se- 
mantics are naturally isomorphic. This improves the analogous result existing for Petri 
nets [MMS96], which only holds at the object level. 

Let be a marked pre-net and consider the comma category (m | !PS’{R)) 

(which, by Theorem 2, is isomorphic to (m J, Z{R))). Objects are concatenable pro- 
cesses of R with source in u, and an arrow exists from a process 5i to 82 if 82 = 8i;8 
for some process 8. It can be shown that {u J, ^‘P{R)) is a preorder, i.e., in (m J, ‘P‘P{R)) 
there is at most one arrow between any two objects. Let <r denote the corresponding 
preorder relation i.e., 81 <r 82 if there exists 8 such that 81 ; 8 = 82. 

An alternative characterisation of <a, enforces the intuitive idea that it is a gener- 
alisation of the prefix ordering over processes. First, we need to introduce the notion of 
left injection for concatenable processes. 

Definition 15 (left injection). Let v; (i G { 1 , 2}) two objects in (u J, ‘P'P{R)), 

with 8,- = (Oi,7ti,T,). A left injection i : 81 — s- 82 is a morphism of pre-nets l : R-p,^ — *■ R^^ 
(where Rji- is the pre-net underlying Ji,), such that 

1 . t preserves the ordering of minimal places, namely O2 = t®(Oi); 

2. t is rigid on transitions, namely for t'2 in R^^. L in Rj^, ift'2 < t(fi) then t'2 = t(t( ) 

for some fj in R-p,^ (the image of a lower set is a lower set). 

The name “injection” comes from the fact that any morphism t between marked de- 
terministic occurrence nets results to be injective on places and transitions. The word 
“left” is related to the fact that i is required to preserve only the string of minimal places. 

Lemma 1. Let Si'.u^ v; (i e {1,2}) be objects in {m } fPlP^R)), with 8; = (Oi,7t;,T,). 
Then 81 82 iff there exists a left injection t : 81 — > 82. 

By exploiting the above characterisation and the fact that Up is a right adjoint 
we can conclude that the ideal completion of the preorder {u } T’T’{R)), denoted by 
ldl((M } T’T’{R))), is isomorphic to the domain L{‘Ep{Up{R))) obtained from the un- 
folding of the pre-net R. 
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Fig. 10. Reconciling the algebraic and unfolding semantics of pre-nets. 



To gain some intuition observe that the elements of the partial order induced by 
the preorder (m J, !P‘P{R)) are classes of concatenable processes which are “left isomor- 
phic”, i.e., isomorphic via a left injection. Intuitively, the partial order consists of pro- 
cesses starting from a fixed initial state and ordered by prefix. Since processes are finite, 
taking the ideal completion of the partial order induced by the preorder {u J, !P!P{R)) 
(which produces the same result as taking directly the ideal completion of {u | iPiP(/?))) 
is necessary for moving from finite computations to arbitrary ones. 

Theorem 5 (unfolding vs. concatenable processes). Let (R, u) be a marked pre-net. 
Then ldl((M J, TTiR))) is isomorphic to the domain L(T,p{‘Up{R))). 

The above results admits a nice categorical formulation, since all the involved con- 
structions can be seen as functors. Let PreOrd be the category of preorders and mono- 
tone functions, and let Flat ; Cat — > PreOrd be the functor mapping any category to the 
underlying preorder (where x <y if and only if there was an arrow / : x — *■ y in the origi- 
nal category). Let Jy SSMC* PreOrd be the functor mapping any pointed symmetric 
strict monoidal category (C,Oc) to Flat((C>c i C)). Finally let PreOrd — > PreOrd be 
the ideal completion functor, mapping any preorder to its ideal completion. Then the 
following result holds (see Fig. 10). 

Theorem 6. There is a natural isomorphism p : Idio —fLoTpO Up. 



5 Adding Read Arcs 

Several extensions of ordinary Petri nets have been proposed in the literature to enrich 
the expressiveness of the basic model. A mild generalisation which has been shown to 
be quite useful is the addition of the so-called read arcs which allow a transition to 
check for the presence of a token in a place without removing the token itself. Observe 
that a read arc cannot be safely replaced by a self-loop, since the former allows a greater 
amount of concurrency in the system: a resource can be read in parallel by several tran- 
sitions at the same time, concurrently. For instance consider again the net Nq in Fig. 1, 
and compare it to the net Ai in Fig. 11, where place c is connected to transitions to and t\ 
by read arcs (denoted by undirected lines), meaning that c represent a resource accessed 
in a read-only manner. While in Ni the transitions to and t\ can fire concurrently, in the 
net No where read arcs are replaced by self-loops, the two transitions are serialised. 

Formally a contextual Petri net is a tuple N = {do,d\,d 2 ,S,T), where {do,d\,S,T) 
is an ordinary Petri net and 02 : T ^ 5® associates to each transition its context. Notice 
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Fig. 11. Ordinary nets do not allow for concurrent read-only operations. 



that, as a single token can be read concurrently by different transitions, it can be read 
also with multiplicity greater than 1 by the same transition. Hence a transition t can use, 
to fire, any marking ranging from 3o(f) 0 P2(0] ^o(l) ©32(f)) i-e-, it is sufficient 

that any context place contains at least one token. The notion of marked contextual 
net and of (marked) contextual net morphism are defined as structure-preserving graph 
homomorphisms in the obvious way, yielding the categories CPetri and CPetrin,. 

Correspondingly, we consider an extension of pre-nets with read arcs. 

Definition 16 {contes.iaaAt^rt-nei).Acontextualpre-netis atupleR= (^0)Ci)^2)5',r) 
such that is a p re -net and 1^2 - T ^ is the context function. 

The notion of pre-net morphism can be extended to contextual pre-nets in the ob- 
vious way, requiring for any transition the preservation of the context, besides pre- and 
post-conditions. Also the extension to marked pre-nets is immediate. We denote by 
CPreNet and by CPreNet* the corresponding categories. 

The algebraic semantics of contextual pre-nets has been developed in [BMMS02] 
taking as models the so-called match-share categories, a kind of symmetric monoidal 
category equipped with two additional (non-natural) transformations. Let Zc(R) denote 
the model of computation for a contextual pre-net R, as defined in such paper (as a 
special case, in the absence of contexts, Zc{R) = Z{R)). The construction can be ex- 
pressed as an adjunction and it is defined in terms of theory morphisms between suitable 
equational theories. Due to space limitation, we cannot give full details here. 

The results developed in this paper for Petri nets and pre-nets generalise to the 
contextual case. In the following we sketch the basic notions, constructions and the 
results involved in the extension. 

First, as it happens for ordinary contextual nets [BCMOl], the dependencies among 
events in a contextual pre-net computation cannot be captured completely by two binary 
relations representing causality and symmetric conflict. While causality can be defined 
essentially as in the ordinary case, due to the possibility of preserving part of the state 
in a step of computation, an asymmetric form of conflict arises between transitions. In 
fact let t,f be transitions such that ^2(1) = s = Co(fO- Then the firing of f prevents t 
to be fired, since it consumes the shared resource in s. Instead the firing of t just reads 
a resource in s and thus f can fire after t. This kind of dependency is represented by 
introducing an asymmetric conflict relation on transitions, which models the previ- 
ous situation as t /' t' . An ordinary symmetric conflict, arising when two transition t 
and t' have a common precondition, is represented as an asymmetric conflict in both 
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1 < 1 < |m| 

u'- = e S' r\^{u'-) = ui 

Vp,VceS'^ Vp safe VpHvc = 0 co{[vp-Vc\) teT pf (vp) = ^o(f) T)f(vc) = ^2(0 

t' = {vp,v,,t)er Mt') = t ^oin = Vp ^'2{t') = vc 

l' = {v,t)eT' ^i(f) = Wi ...w„ 

w'^ = (t',Wi,i) e s' r\s{w'i)=Wi =vv'i ...w^ 

Fig. 12. Inference rules for the unfolding ‘Uc{{R,u)) of a contextual pre-net R. 



directions, i.e., t /“ t' /' t. Finally, since < represents a global order of execution, while 
^ determines an order of execution only locally to each computation, it is natural to 
impose to be an extension of <. 

The notion of concurrency is updated to take into account the presence of asymmet- 
ric conflict: a set of places X C S is concurrent, written co{X), if for any s,s' GX it does 
not hold s < s', [Zj is finite and is acyclic on [Zj . 

Then the contextual occurrence pre-nets can be naturally defined. 

Definition 17 (occurrence contextual pre-net). An occurrence contextual pre-net is 
a safe pre-net R such that (i) causality <g is a partial order; (ii) R has no backward 
conflicts; (Hi) for any transition t, the set of causes [tj is finite and asymmetric conflict 
R is acyclic on [t J . An occurrence contextual pre-net is deterministic if it has no 
forward conflicts. 

We denote by CPreOcc* full subcategory of CPreNet* having marked occurrence 
contextual pre-nets as objects. 

In the unfolding construction below just notice that the second rule takes a context 
Vc which is not required to be safe, consistently with the fact that single token can be 
read with multiplicity greater than 1 . 

Definition 18 (contextual unfolding). Let (R,u) be a marked contextual pre-net. The 
unfolding ‘Lf.({R,u)) = ,T'),u') ant/ t/ze folding morphism = (tlziris) : 

‘If jR) —>■ R are the occurrence pre-net and (elementary) contextual pre-net morphism 
inductively defined by the rules in Fig. 12, with u' = (0, mi , 1) . . . (0, n|„| , |m|). 

Also in this case the unfolding extends to a functor Uc : CPreNet* ^ CPreOcc* 
which is right adjoint to the inclusion of CPreOcc* into CPreNet*. The unfolding can 
be abstracted to an event based model, called asymmetric event structure (AES’s), intro- 
duced in [BCMOl] as a generalisation of Winskel PES’s where conflict is allowed to be 
non-symmetric. As proved in the mentioned paper, the category of AES’s coreflects into 
Dom allowing to recover a domain semantics. The situation is summarised in Fig. 13. 

The algebraic and unfolding approach to the semantics of contextual pre-nets can 
be reconciled, along the same schema followed for pre-net, obtaining a commutative 
functorial diagram which generalises Fig. 10 in the presence of read arcs. 
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CPreNet* ^ ^ CPreOcc,^ ^ AES ^ ^ , Dom 

U, %: L 

Fig. 13. Denotational semantics of contextual pre-nets. 
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Fig. 14. Net semantics. 



6 Conclusions 

We have shown that a functorial unfolding semantics for pre-nets can he developed 
along the lines of the seminal work of Winskel. The semantics is expressed as a chain 
of functors leading from the category PreNet* to the category Dom, through PreOcc* 
and PES. A different construction of a domain for any pre-net can be defined by relying 
on the algebraic semantics of pre-nets, already defined in the literature. Differently from 
what happens for Petri nets, this latter construction can be expressed as a functor from 
PreNet* to Dom. The unfolding and algebraic constructions can be reconciled in a fully 
satisfactory categorical setting, by showing that the corresponding functors are naturally 
isomorphic. The proof relies on the introduction of a concrete notion of process for pre- 
nets, and on a characterisation of the algebraic semantics in terms such processes. 

Figure 14 summarises our results, connecting them to the known (CTPh and ITPh) 
net semantics. Each column is devoted to a specific semantic flavour (see the classi- 
fication in the Introduction). The last column refers to the possibility of relating the 
algebraic and unfolding views. The entries are either references to the literature where 
the corresponding construction has been presented, or pointers to the sections of our 
contribution. Empty cells stands for unfeasible constructions. Italic text refers to non- 
functorial constructions, i.e., constructions that are defined just at the object level, but 
cannot deal with simulation morphisms. Regular entries stands for functorial construc- 
tions, and bold entries for adjunctions. Note that, in the case of pre-nets, all construc- 
tions are feasible and functorial. Einally, we mention that all constructions and results 
for pre-nets are extended to work in the presence of read arcs. 
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Abstract. The problem of extending to graph grammars the unfold- 
ing semantics originally developed by Winskel for (safe) Petri nets has 
been faced several times along the years, both for the single-pushout and 
double-pushout approaches, but only partial results were obtained. In 
this paper we fully extend Winskel’s approach to single-pushout gram- 
mars providing them with a categorical concurrent semantics expressed 
as a coreflection between the category of graph grammars and the cate- 
gory of prime algebraic domains. 



Introduction 

It belongs to the folklore that Graph Grammars [25] generalise Petri nets, in 
that they allow for a more structured representation of system states, modelled 
in terms of graphs rather than (multi)sets, and for a more general kind of state 
transformation, modelling also preservation of parts of the state, besides deletion 
and creation. 

During the last years, a rich theory of concurrency for the algebraic ap- 
proaches to graph transformation has been developed, including the generalisa- 
tion of various classical Petri net concurrency models, like Goltz-Reisig process 
semantics [13] and Winskel’s unfolding semantics [27]. 

Recall that, building on [22], the seminal work [27] gives the concurrent 
semantics of (safe) nets by means of a chain of coreflections leading from the 
category of safe Petri nets to the category of prime algebraic domains. 

> N 7 

Safe i I 'Occurrence < , Prime Event „ 

Nets^^ Nets Structures Domains 

The first step unfolds any (safe) net into an occurrence net, i.e., a branching 
acyclic net making explicit causality and conflict (nondeterministic choice point) 
between events in the net. The second step produces a prime event structure 
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MIUR Project GOFIN 2001013518 CoMeta. 
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(PES) abstracting away the state and recording only the events and the relation- 
ships between events. Finally, the last step maps any PES into the corresponding 
prime algebraic domain of configurations. 

Some important steps have been taken in the direction of developing an 
analogous semantical framework for algebraic graph grammars, but a definitive 
answer has not been provided yet. More precisely, a number of constructions have 
been defined for algebraic, double-pushout (dpo) graph grammars [12, 9] by the 
first three authors (see, e.g., [1]), as summarised by the following diagram: 

DPO Graph — ^Occurrence Inhibitor Event i j „ 

Grammars — > Grammars £9 Structures omams 

Even if at this level of abstraction it is not possible to see the relevant differ- 
ences in the technical treatment of DPO grammars w.r.t. the much simpler case 
of Petri nets, still it is worth pointing at the evident differences between this 
chain of categories and the corresponding one for nets. Firstly, the category of 
PES’s is replaced by that of inhibitor event structures (lES’s), which, assuming 
conditional or-causality as a basic relation between events, are able to capture 
both the asymmetric conflicts between events arising from the capability of pre- 
serving part of the state and the inhibiting effects related to the presence of 
the application conditions for rules. The category of domains can be viewed as 
a coreflective subcategory of lES’s (as shown by the last step of the chain) and 
thus one can also recover a semantics for dpo grammars in terms of domains and 
PES’s. Secondly, the functor from the category of occurrence grammars to the 
category of lES’s does not admit a left adjoint establishing a coreflection between 
lES’s and occurrence grammars, and thus the whole semantic transformation is 
not expressed as a coreflection. 

In this paper we concentrate on the single-pushout (SPO) approach [18,11] 
to graph transformation. One of the main differences with respect to the dpo 
approach lies in the fact that there are no conditions on rule application, i.e., 
whenever a match is found the corresponding rule can always be applied. For SPO 
grammars an unfolding construction has been proposed in [24], corresponding 
to the first step in the above chains of coreflections. 

Building on the results briefly summarised above, we provide a coreflective 
unfolding semantics for SPO graph grammars, defined through the following chain 
of coreflections: 

SPO Graph < y — ^Occurrence -Pyj) Asymmetric Event „ 

Grammars — ~ — > Grammars — y — > Structures — > 

hi s C. s iG (2 

In particular, this construction differs from and improves that for dpo graph 
grammars, discussed above, because of the following facts: 

— Due to the absence of application conditions for rules, a less powerful and 
more manageable kind of event structures called asymmetric event structures 
(introduced to deal with contextual nets in [4]), can be used to represent the 
dependency structure of SPO graph grammars. 



Coreflective Concurrent Semantics for Single-Pushout Graph Grammars 



167 



— A novel construction, inspired by the work on contextual nets, allows to as- 
sociate a canonical occurrence SPO graph grammar to any asymmetric event 
structure. This provides the lacking step, i.e., a left adjoint functor estab- 
lishing a coreflection between the category of occurrence graph grammars 
and the category of asymmetric event structures. 

An existing result [4] establishes a coreflection between asymmetric event struc- 
tures and domains, so that we obtain a coreflective pes and domain semantics 
for SPO graph grammars. 

These results do not extend immediately to the dpo approach because of 
the presence of application conditions for rules. However, as discussed in the 
conclusions, they can give some suggestions for improving the treatment of this 
more complex case. 

The rest of the paper is structured as follows. In Section 1 we review the 
basics of single-pushout graph grammars and we define the notion of graph 
grammar morphism we shall work with. In Section 2 we discuss the kind of 
dependencies arising between events in SPO graph grammars and we introduce 
the notion of occurrence graph grammar. In Section 3 we briefly discuss the 
unfolding construction for SPO graph grammars and its characterisation as a 
universal construction. In Section 4 we complete the chain of coreflections from 
grammars to domains, showing how any occurrence grammar can be abstracted 
to an asymmetric event structure and, vice versa, how a canonical occurrence 
grammar can be associated to any asymmetric event structure. Finally Section 5 
draws some conclusions. 



1 Typed Graph Grammars and Their Morphisms 

In this section we summarise the basics of graph grammars in the single-pushout 
(SPO) approach [18], an algebraic approach to graph rewriting alternative to the 
classical double-pushout (dpo) approach. The original SPO approach is adapted 
to deal with typed graphs [8, 19], which are, roughly, graphs labelled over a struc- 
ture (the graph of types) that is itself a graph. Then some insights are provided 
on the relationship between typed graph grammars and Petri nets. Finally, the 
class of SPO typed graph grammars is turned into a category GG by defining 
a notion of grammar morphism, which recasts in this setting the morphisms for 
DPO grammars introduced in [3]. 



1.1 Typed Graph Grammars 

Given a partial function f : A ^ B we will denote by dom(f) its domain, i.e., 
the set {a G A \ f{a) is defined}. Let f,g:A^Bhe two partial functions. We 
will write f < g when dom(f) C dom(g) and f{x) = g{x) for all x G dom(f). 

For a graph G we will denote by Nq and Eq the sets of nodes and edges of 
G, and by sqAg ■ Eg Ng its source and target functions. 
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Definition 1 (partial graph morphism). A partial graph morphism f : G ^ 
H is a pair of partial functions f = (fj^ : Nq ^ Nh, fs ■ Eq Eh) such that 
(see Fig. l.(a)): 

sh o fs < fN ° so and tn o fs < fN °ta- (*) 

We denote by PGraph the category of (directed, unlabelled) graphs and partial 
graph morphisms. A morphism is called total if both components are total, and 
the corresponding full subcategory 0 / PGraph is denoted by Graph. 

Notice that, according to condition (*), if / is defined over an edge then it must 
be defined both on its source and target nodes: this ensures that the domain 
of / is a well- formed graph. The inequalities in condition (*) ensure that any 
subgraph of a graph G can be the domain of a partial morphism f : G >-^ F[. 
Instead, the stronger (apparently natural) conditions sh o fs = fN ° sg and 
tH o fs = fN o to would have imposed / to be defined over an edge whenever it 
is defined either on its source or on its target node. 

Given a graph TG, a typed graph G over TG is a graph |G|, together with a 
total morphism tc ■ |G| ^ TG. A partial morphism between TG-typed graphs 
/ : Gi ^ G2 is a partial graph morphisms / : |Gi| ^ IG2I consistent with the 
typing, i.e., such that tc^ > tc^ ° / (see Fig. l.(b)). A typed graph G is called 
injective if the typing morphism to is injective. The category of TG-typed graphs 
and partial typed graph morphisms is denoted by TG-PGraph. 



Eg 



/e 



■> Eh 





*G > 











N a ; ^ Nh 



|Gi| ^IGsl 




(a) 



(b) 



Fig. 1. Diagrams for partial graph and typed graph morphisms. 



Given a partial typed graph morphism / : Gi >—> G 2 , we denote by dom(f) 
the domain of / typed in the obvious way. 

Definition 2 (graph production and direct derivation). Fixed a graph 
TG of types, a (TG-typed graph) production q is an injective partial typed graph 

Tq 

morphism Lg ^ Rg. It is called consuming if the morphism is not total. The 
typed graphs Lg and Rg are called the left-hand side and the right-hand side of 
the production, respectively. 

Given a typed graph G and a match (i.e., a total morphism) g : Lg G, we 
say that there is a direct derivation S from G to H using q (based on g), written 
5 : G H , if the following is a pushout square in TG-PGraph. 
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^ Rq 

G > — 

Roughly speaking, the rewriting step removes from the graph G the image of 
the items of the left-hand side which are not in the domain of r^, namely g{Lq — 
dom{rq)), adding the items of the right-hand side which are not in the image of 
rq, namely Rq — dom(rq). The items in the image of dom(rq) are “preserved” by 
the rewriting step (intuitively, they are accessed in a “read-only” manner). 

A relevant difference with respect to the dpo approach is that here there is 
no dangling condition [9] preventing a rule to be applied whenever its application 
would leave dangling edges. In fact, as a consequence of the way pushouts are 
constructed in TG- PGraph, when a node is deleted by the application of a 
rule also all the edges having such node as source or target are deleted by the 
rewriting step, as a kind of side-effect. For instance, production q in the top row 
of Fig. 2, which consumes node B, can be applied to the graph G in the same 
figure. As a result both node B and the loop edge L are removed. 



q 



B 



G 




Fig. 2. Side-effects in SPO rewriting. 



Even if the category PGraph has all pushouts, still we will consider a condition 
which corresponds to the identification condition of the dpo approach. 

Definition 3 (valid match). A match g : Lq ^ G is called valid when for any 
x,y & \Lq\, ifg{x) = g{y) then x,y G dom{rq). 

Conceptually, a match is not valid if it requires a single resource to be consumed 
twice, or to be consumed and preserved at the same time. 

Definition 4 (typed graph grammar and derivation). A (TG-typed) SPO 
graph grammar S is a tuple (TG, Gs, P, tt), where Gg is the (typed) start graph, 
P is a set of production names, and tt is a function which associates a production 
to each name in P. A graph grammar is consuming if all the productions in the 
range of tt are consuming. A derivation in S is a sequence of direct derivations 
beginning from the start graph p = {Gi_i with Go = Gg. A 

derivation is valid if so are all the matches in its direct derivations. 

In the paper we will consider only consuming graph grammars and valid deriva- 
tions. The restriction to consuming grammars is essential to obtain a meaningful 
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semantics combining concurrency and nondeterminism. In fact, the presence of 
non-consuming productions, which can be applied without deleting any item, 
would lead to an unbounded number of concurrent events with the same causal 
history. This would not fit with the approach to concurrency (see, e.g., [13,27]) 
where events in computations are identified with their causal history (formally, 
the unfolding construction would not work). On the other hand, considering 
valid derivations only, is needed to have a computational interpretation which is 
resource-conscious, i.e., where a resource can be consumed only once. 

We denote by Elem(S) the set Ntg U Etg U P. We will assume that for each 

Tg 

production name q the corresponding production 7r(g) is Lq >-^ Rq. Without loss 
of generality, we will assume that the injective partial morphism Vq is a partial 
inclusion (i.e., that rq{x) = x whenever defined). 

1.2 Relation with Petri Nets 

The reader who is familiar with Petri net theory can gain a solid intuition about 
grammar morphisms and many other definitions and constructions in this pa- 
per, by referring to the relation between Petri nets and (SPO) graph grammars. 
The correspondence between these two formalisms (see, e.g., [6] and references 
therein) relies on the basic observation that a P/T Petri net is essentially a 
rewriting system on a restricted kind of graphs, namely discrete, labelled graphs 
(that can be identified with sets of tokens labelled by places), the productions 
being the net transitions. 

For instance. Fig. 3 presents a Petri net transition t and the corresponding 
graph production rj which consumes nodes corresponding to two tokens in sq 
and one token in si and produces new nodes corresponding to one token in S 2 
and one token in S3. The domain of the rule morphism is empty, i.e., rt : L ^ R 
is the empty function, since nothing is explicitly preserved by a net transition. 




1 So So Si 


n 


S2 


S 3 


1 ■ ■ ■ 




• 


• 



Fig. 3. A Petri net transition and a corresponding SPO production. 



Note that, in this encoding of transitions into productions, the restriction 
to consuming graph grammars corresponds, in the theory of Petri nets, to the 
common requirement that transitions must have non-empty preconditions. 

A tighter correspondence can be established with contextual nets [21], also 
called nets with test arcs in [5], activator arcs in [15] or read arcs in [26], an 
extension ordinary nets with the possibility of checking for the presence of to- 
kens which are not consumed. Non-directed (usually horizontal) arcs are used to 
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represent context conditions. For instance, transition t in the left part of Fig. 4 
has place s as context, hence at least one token in s is needed for enabling t, and 
the firing of t does not affect such token. 

As shown in Fig. 4, the context of a transition t in a contextual net corre- 
sponds to the graph domirt) of the corresponding SPO production rt : L ^ R. 
Thus, in general, a contextual net corresponds to an SPO graph grammar still 
acting on discrete graphs, but where a production may preserve some nodes, i.e., 
its domain might not be empty. 




Fig. 4. A contextual Petri net transition and a corresponding SPO production. 



1.3 Grammar Morphisms 

The notion of SPO grammar morphism defined in this paper recasts in the setting 
of the SPO approach the notion introduced for dpo grammars in [7,3], which in 
turn was a generalisation of Petri net morphisms. Recall that a Petri net mor- 
phism [27] consists of two components: a multirelation between the sets of places, 
and a partial function mapping transitions of the first net into transitions of the 
second one. Net morphisms are required to “preserve” the algebraic structure of 
a net in the sense that the pre- (post-)set of the image of a transition t must be 
the image of the pre- (post-)set of t. 

Recall that, given two sets A and B, a multirelation i? : A <-> R is a function 
i? : A X R — > N. Intuitively, R relates elements a G A and b G B with multiplicity 
i?(a, b). As the items of the type graph of a graph grammar can be seen as gener- 
alisations of Petri net places and typed graphs as generalisations of multisets of 
places, the first component of a grammar morphism will be a span of total graph 
morphisms between the type graphs of the source and target grammars, arising 
as a categorical generalisation of the notion of multirelation. Here we give only 
some basic definitions. For an extensive discussion we refer the reader to [7, 1]. 

Definition 5 (spans). Let C be a eategory. A (concrete) span in C is a pair 
of coinitial arrows f = (/^,/^) with /^ : a;/ — > a and : Xf ^ b. Objects a 
and b are called the source and the target of the span, written f ■. a b. The 
span f will be sometimes denoted as {f^ ,Xf, f^) , explicitly giving the common 
source object Xf. 

Consider the equivalence ~ over the set of spans with the same source and 
target defined, for f,f'\a-^b,asf^f if there exists an isomorphism 
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k : Xf ^ Xf! such that f'^ o k = and o k = (see Fig. 6. (a)). The 
isomorphism class of a span f is denoted by [f] and called a semi-abstract span. 

Fig. 5 gives two examples of multirelations in Set, with the corresponding 
span representations. 




Fig. 5. The (semi-abstract) spans for the multirelations (a) Ri{ai,bi) — 2, Ri{a 2 , 62 ) = 
1, 7 ?i(o 2 ,& 3 ) = 1 and (b) R 2 {ai,bi) = 1, R 2 {ai,b 3 ) = 1, 7 ^ 2 ( 02 , 63 ) = 1 (Pairs which 
are not mentioned are mapped to 0). 



Definition 6 (category of spans). Let C be a category with pullbacks. Then 
the category Span(C) has the same objects of C and semi-abstract spans on C 
as arrows. More precisely, a semi-abstract span [/] is an arrow from the source 
to the target of f . The composition of two semi-abstract spans [fi] : a <--> 5 and 
1 / 2 ] ■ b ^ c is the ( equivalence class ) of a span f constructed as in Fig. 6. (b ) 
(i.e., f^ = fi °y O'lT'd f^ = f^oz), where the square is a pullback. The identity 
on an object a is the equivalence class of the span {ida,ida), where ida is the 
identity of a in C. 




Fig. 6 . Equivalence and composition of spans. 



Relations can be identified with special multirelations R : A B where 
multiplicities are bounded by one (namely R{a, b) < 1 for all a G A and b G B). 
The corresponding condition on a span f \ A B is the existence of at most 
one path between any two elements a G A and b G B. For instance, the span in 
Fig. 5. (a) is not relational, while that in Fig. 5.(b) is relational. 

Definition 7 (relational span). Let C be a category. A span f : a ^ b in C 
is called relational if (/^, /^) : Xf ^ a x b is mono. 
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We can also find a categorical analogue of constructing the image of a multiset 
through a multirelation. The next definition is given for graphs, but it could be 
generalised to any category with pullbacks. 

Definition 8 (pullback-retyping construction). Let [fx] '■ TG\ ^ TG2 be 

a semi- abstract span in Graph and let Gi be a TGi-typed graph. Then G\ 
can be “transformed” into a TG2~typed graph as depicted in the diagram below, 
by first taking a pullback (in Graphj of the arrows f^ • ^/t ^ TGi and 
tCi ■ IGil ^ TGi, and then typing the pullback object over TG2 by using the 
right part of the span fx : X f.^^TG2- 



|Gih " IG2I 




The TG2~typed graph G2 = {\G 2 \, fx °y) determined only up to isomorphism. 
Sometimes we will write fx{x,y}{Gi,G2) (or simply /t(Gi,G2) if we are not 
interested in morphisms x and y) to express the fact that Gi and G2 are related 
in this way by the pullback-retyping construction induced by [fx]- 

We are now ready to define grammar morphisms. Besides the component 
specifying the relation between the type graphs, a morphism from Si to S2 
includes a (partial) mapping between production names. Furthermore a third 
component explicitly relates the (untyped) graphs underlying corresponding pro- 
ductions of the two grammars, as well as the graphs underlying the start graphs. 

Definition 9 (grammar morphism). Let Si = {TGi,Gsi,Pi,'n'i) (i G { 1 , 2 }^ 
be two graph grammars. A morphism f : Si ^ 52 is a triple {[fx], fp, i-f) where 

— [fx] '■ TGi <-*■ TG2 is a semi-abstract span in Graph, called the type-span; 

~ /p : Pi — i P2 U { 0 } is a total function, where 0 is a new production name 

(not in P2), with associated production 0 >— » 0 ^ ; 

— Lf is a family {i/(qi) | q\ € Pi} U {i}} of morphisms in Graph such that 

: IGssI — > |GsJ and for each qi G Pi, if fp{qi) = q2, then if{qi) is pair 

i^fiyi) ■ 1^92! 1^91 |p/ (91) ■ 1-^92! 1^91 !)■ 

such that the following conditions are satisfied: 

1 . Preservation of the start graph. 

There exists a morphism k such that fc|(Gsj , Ggj), namely such that 

the diagram in Fig. 7 . (a) commutes and the square is a pullback. 



^ Considering the empty production 0 is technically preferable to the use of a partial 
mapping /p : Pi ^ P 2 . 
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'•/ (ii) 

l-Rqi I ■< I 




Fig. 7 . Diagrams for SPO grammar morphisms. 



2. Preservation of productions. 

For each q\ € P\, with q 2 = fp{qi), there exist morphisms and such 
that the diagram in Fig. 7.(b) commutes, and (^i), , Pg 2 ) for 

Y G {L,R}. 

The morphism f is called relational if the type component fx is relational. 

As in [1, 7] one can show that grammar morphisms are “simulations”, namely 
that every derivation pi in Si can be transformed into a derivation in S 2 , 
related to pi by the pullback-retyping construction induced by the morphism. 

2 Nondeterministic Occurrence Grammars 

Analogously to what happens for Petri nets, occurrence grammars are “safe” 
grammars, where the dependency relations between productions satisfy suit- 
able acyclicity and well-foundedness requirements. Nondeterministic occurrence 
grammars will be used to provide a static description of the computation of a 
given graph grammar, recording the events (production applications) which can 
appear in all possible derivations and the dependency relations among them. 

While for nets it suffices to take into account only the causality and conflict 
relations, for grammars the fact that a production application not only consumes 
and produces, but also preserves a part of the state leads to a form of asymmetric 
conflict between productions. Quite interestingly, instead, as we shall discuss 
later there is no need of taking into account the dependencies between events 
related to the side-effects of rule applications (i.e., the deletion of an edge caused 
by the deletion of its source or target node). 

The notion of safe graph grammar [8] generalises the one for P/T nets which 
requires that each place contains at most one token in any reachable marking. 

Definition 10 ((strongly) safe grammar). A grammar S = {TG,Gg, P,tt) 
is (strongly) safe if, for all FI such that Gg =>* FI , iJ is injective. 

In a safe grammar, each graph G reachable from the start graph is injectively 
typed, and thus we can identify it with the corresponding subgraph ta{\G\) of 
the type graph. With this identification, a production can only be applied to 
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the subgraph of the type graph which is the image via the typing morphism 
of its left-hand side. Thus, according to its typing, we can safely think that 
a production produces, preserves or consumes items of the type graph. Using a 
net-like language, we speak of pre-set *q, eontext q and post-set q* of a production 
q, defined in the obvious way. For instance, for grammar S in Fig. 8, *qi = {A}, 
qi = {B} and gi* = {L}, while *i3 = 0, B = {gi, 52 } and B* = {ga}. 



<7i 



A B 



B 






<13 



B 



<?2 






B 


C 


< 14 . 




G 


• 


• 




• 



TG 4 G 



Gi, 



A B 

• • 



C 



Fig. 8. A safe SPO graph grammar S. 



Although the notion of causal relation is meaningful only for safe grammars, 
it is technically convenient to define it for general grammars. The same holds 
for the asymmetric conflict relation introduced below. 

Definition 11 (causal relation). The causal relation of a grammar S is the 
binary relation < over Elemif^) defined as the least transitive relation satisfying: 
for any node or edge x in the type graph TG, and for productions q,q' € P 

1. if X € *g then x < q; 

2. if X € g* then q < x; 

3. z/ g* n g' yf 0 then q < q' ■ 

As usual < is the reflexive elosure of <. Moreover, for x € Elem(S) we denote 
by [xj the set of eauses of x in P, namely {q G P : q < x}. 

Notice that the fact that an item is preserved by g and consumed by g', i.e., 
gn*g' yf 0 (e.g., item C € g 2 H*g 4 in grammar S of Fig. 8), does not imply g < q' . 
Actually, the dependency between the two productions is a kind of asymmetric 
conflict (see [2,23, 17]). The application of g' prevents g from being applied, so 
that g can never follow q' in a derivation (or equivalently when both g and q' 
occur in a derivation then g must precede g'). But the converse is not true, since 
g can be applied before g'. 

Definition 12 (asymmetric conflict). The asymmetric conflict relation of a 
grammar S is the binary relation y' over the set of productions, defined by: 

1. if qG*q' then q y' q' ; 

2. if *g n *g' yf 0 and q ^ q' then q y' q' ; 

3. if q < q' then q y' q' . 
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Condition 1 is justified by the discussion above. Condition 2 essentially expresses 
the fact that the ordinary symmetric conflict is encoded, in this setting, as an 
asymmetric conflict in both directions. Finally, since < represents a global order 
of execution, while /" determines an order of execution only locally to each 
computation, it is natural to impose /' to be an extension of < (Condition 3). 

As already mentioned, the side-effects of production applications can be dis- 
regarded when analysing the dependency relations between events. In fact: 

Causality. Assume that production q produces an edge e, and g' deletes e as side- 
effect (because it deletes its source or target). At a first glance we could think 
that q' should causally depend on q. However, although q' consumes the resource 
e produced by q, the application of q is not necessary to make q' applicable, since 
(?' does not explicitly require the presence of e. Hence q' does not causally depend 
on q. For instance, referring to grammar S in Fig. 8, the application of q^ after 
qi deletes node B and edge L as side-effect. However qs does not depend on qi 
since it can be applied already to the start graph. 

Asymmetric conflict. Also asymmetric conflict (called weak conflict in [24]) can 
be defined disregarding the mentioned side-effects. This is basically due to the 
fact that when a production uses (consumes or preserves) an edge, it must use 
necessarily the corresponding source and target nodes, and therefore dependen- 
cies related to side-effects can be detected by looking only at explicitly used 
items. E.g., consider again grammar S in Fig. 8. Observe that production q^ 
prevents 92 from being applied since it deletes, as side-effect, edge L which is 
consumed by 52 - However, to consume L, production q 2 must preserve or con- 
sume node B (actually, it consumes it) and thus the “ordinary” definition of 
asymmetric conflict already tells us that <72 /' 93 - 

A nondeterministic occurrence grammar is an acyclic grammar which rep- 
resents, in a branching structure, several possible computations beginning from 
its start graph and using each production at most once. 

Definition 13 ((nondeterministic) occurrence grammar). A (nondeter- 
ministic) occurrence grammar is a grammar 0 = {TG,Gg, P,tt) such that 

1. its causal relation < is a partial order, and, for any q G P, the set [gj is 
finite and the asymmetric conflict /' is acyclic on [gj ; 

2. the start graph Gs is the set Min{0) of minimal elements of {ElemiO), <) 
(with the graphical structure inherited from TG and typed by the inclusion) ; 

3. any item x in TG is created by at most one production in P, namely \ *x \< 1; 

4 . for each q G P, the typing t^^ is injective on the “consumed part” \Lq\ — 
\dom{rq)\, and tn^ is injective on the “produced part” |i?g| — rq{\dom{rg)\). 

We denote by OGG the full subcategory of GG with occurrence grammars as 
objects. 

Since the start graph of an occurrence grammar 0 is determined by Min{0), we 
often do not mention it explicitly. One can show that, by the defining conditions, 
each occurrence grammar is safe. 
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Intuitively, conditions (l)-(3) recast in the framework of graph grammars 
the analogous conditions of occurrence nets (actually of occurrence contextual 
nets [4]). In particular, in Condition (1), the acyclicity of asymmetric conflict 
on [gj corresponds to the requirement of irreflexivity for the conflict relation in 
occurrence nets. Condition (4), instead, is closely related to safety and requires 
that each production consumes and produces items with multiplicity one. An 
example of occurrence grammar is S in Fig. 8. 

As in the case of Petri nets, reachable states can be characterised in terms 
of a concurrency relation. 

Definition 14 (concurrent graph). Let 0 = {TG,P,tt) be an occurrence 
grammar. A subgraph G ofTG is called concurrent if 

1. /' G) the asymmetric conflict restricted to Ua;GGL*J’ acyclic and finitary; 

2. -'(x < y) for all x,y G G. 

It is possible to show that a subgraph G of TG is concurrent iff it is a subgraph 
of a graph reachable from the start graph by means of a derivation which applies 
all the productions in UkggL^J exactly once in any order compatible with 

3 Unfolding of Graph Grammars 

The unfolding construction, when applied to a consuming grammar S, produces a 
nondeterministic occurrence grammar 118(3) describing the behaviour of 3- The 
unfolding can be characterised as a universal construction for several interesting 
categories of algebraic graph grammars. 

Intuitively, given a graph grammar 3 , the construction consists of starting 
from the start graph of 3, then applying in all possible ways its productions to 
concurrent subgraphs, and recording in the unfolding each occurrence of produc- 
tion and each new graph item generated in the rewriting process, both enriched 
with the corresponding causal history. Due to space limitations we skip the de- 
tails of the constructions, giving only a summary of the main results. 



3.1 Unfolding of Semi- weighted Graph Grammars 

As it has been done for ordinary (and other larger classes of) Petri nets [27, 
20, 1], we first restrict to a full subcategory SGG of GG where objects satisfy 
conditions analogous to those defining semi- weighted P/T Petri nets. A graph 
grammar is semi-weighted if the start graph is injective and the right-hand side 
of each production is injective when restricted to produced items (namely, to 
items which are not in the codomain of the production morphism). 

Theorem 1. The unfolding construction can be expressed as a functor 
Its : SGG — > OGG, which is right adjoint to the inclusion : OGG — > SGG. 
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3.2 Unfolding of General Grammars 

The restriction to the semi-weighted case is essential for the universal charac- 
terisation of the unfolding construction when one uses general morphisms. How- 
ever, suitably restricting graph grammar morphisms to still interesting subclasses 
(comprising, for instance, the morphisms of [24,14]) it is possible to regain the 
categorical result for general, possibly non semi- weighted, grammars. 

More specifically, the coreflection result can be obtained by limiting our at- 
tention to a (non full) subcategory GG of GG, where objects are general graph 
grammars, but all morphisms have a relational span as type component. The 
naive solution of taking all relational morphisms as arrows of GG does not 
work because they are not closed under composition. A possible appropriate 
choice is instead given by the category GG'^, where the arrows are grammar 
morphisms such that the right component of the type span is mono. It is easy 
to realize that these kinds of span corresponds to partial graph morphisms in 
the opposite direction. In fact, a partial graph morphism g : TG 2 ^ TGi can 
be identified with the span 

TGi dom{g)^ ^ TG 2 

Theorem 2. The unfolding construction can be turned into a functor 
Uf : GG^ ^ OGG^, having the inclusion if : OGG^ -> GG^ as left 
adjoint, establishing a coreflection between the two categories. 

Alternatively, the result can be proved for the subcategory GG'^ of GG where 
arrows are grammar morphisms having the left component of the type span 
which is mono (corresponding to partial graph morphisms with the same source 
and target of the span) . 

4 Event Structure Semantics for SPO Graph Grammars 

In this section we show that asymmetric event structures, a generalisation of 
prime event structures introduced in [4], provide a suitable setting for defining 
an event structure semantics for SPO graph grammars. After reviewing the ba- 
sics of asymmetric event structures, we show that any occurrence SPO grammar 
can be mapped to an asymmetric event structure via a functorial construction. 
Furthermore, a left adjoint functor, back from asymmetric event structures to oc- 
currence grammars, can be defined, associating a canonical occurrence grammar 
to any asymmetric event structure. 

4.1 Asymmetric Event Structures 

Asymmetric event structures [4] are a generalisation of prime event structures 
where the conflict relation is allowed to be non-symmetric. As already mentioned, 
this is needed to give a faithful representation of dependencies between events 
in formalisms such as string, term, graph rewriting and contextual nets, where 
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a rule may preserve a part of the state, in the sense that part of the state is 
necessary for applying the rule, but it is not affected by the application. 

For technical reasons we first introduce pre-asymmetric event structures. 
Then asymmetric event structures will be defined as special pre-asymmetric 
event structures satisfying a suitable condition of “saturation” . 

Definition 15 (asymmetric event structure). A pre-asymmetric event 
structure (pre-AES) is a tuple A = {E, <, /'), where E is a set of events and <, 
/' are binary relations on E called causality and asymmetric conflict, respec- 
tively, such that: 

1. < is a partial order and [ej = {e' G E \ e' < e} is finite for all e G E; 

2. /' satisfies, for all e,e' G E: 

(a) e < e' e /' e', (h) Z' is acyclic in [eJ, 

where, as usual, e < e' means e < e' and e yf e'. 

An asymmetric event structure (aes^ is a pre-AES which satisfies: 

3. for any e,e' G E, if Z cyclic in [eJ U [e'J then e Z ■ 

The asymmetric conflict relation /' determines an order of execution locally 
to each computation: if e /' e' and e, e' occur in the same computation then e 
must precede e! . Therefore a set of events ei /' C 2 e„ /' ei forming a 

cycle of asymmetric conflict can never occur in the same computation, a fact that 
can be naturally interpreted as a kind of conflict over sets of events. Condition (3) 
above ensures that, in an AES, this kind conflict is inherited through causality, 
a typical property also of pes’s. 

Any pre-AES can be “saturated” to produce an AES. More precisely, given 
a pre-AES A = {E,<,/), its saturation, denoted by A, is the AES (A, 
where Z' is defined as e Z' e' iff (e Z" e') or Z is cyclic in [eJ U [e'J . 

Definition 16 (category of AES’s). Let Aq and Ai be two AES’s. An AES- 
morphism / : Aq A\ is a partial function f : Eq ^ Ei such that, for all 
eo,CQ G Eq, assuming that /(eo) and /(eg) are defined, 

1- L/(eo)J C /([eoj); 

2. (a) /(eo) Zi /(eg) ^ eo Zo ef,; 

r&y* (/(eo) = /(eg)) A (eo yf e[)) ^ eo Z Cg. 

We denote by AES the category having asymmetric event structures as objects 
and AES-morphisms as arrows. 

The notion of configuration extends smoothly from pes’s to AES’s, the main 
difference being the fact that the computational order between configurations 
is not simply set-inclusion. In fact, a configuration C can be extended with an 
event e' only if for any event e G C, it does not hold that e' Z e (since, in 
this case, e would disable e'). The set of configurations of an AES with such 
a computational order is a domain. The corresponding functor from AES to 
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Dom, the category of finitary prime algebraic domains, has a left adjoint which 
maps each domain to the corresponding prime event structure (each pes can be 
seen as a special AES where conflict is symmetric) . Hence Winskel’s equivalence 
between PES, the category of prime event structures, and Dom generalises to 
a coreflection between AES and Dom. 

AES ' -L ; Dom 

Ca 



4.2 Prom Occurrence Grammars to AES’s 

Given any occurrence grammar, the corresponding asymmetric event structure 
is readily obtained by taking the production names as events. Causality and 
asymmetric conflict are the relations defined in Definitions 11 and 12. 

Definition 17 (AES for an occurrence grammar). Let 0 = {TG,P,tt) be 
an occurrence grammar. The AES associated to 0, denoted £^(0), is the satura- 
tion of the pre-AES (P, <, /'), with < and y' as in Definitions 11 and 12. 

The above construction naturally gives rise to a functor. 

Proposition 1. For any morphism h : Oq 0i between occurrence grammars, 
let Es{h){q) = hp{q) if hp{q) yf 0 and Zs{h){q) undefined, otherwise. Then 
£.s ■■ OGG -> AES is a well-defined functor. 

For instance. Fig. 9 shows the AES (and the prime algebraic domain of its config- 
urations) associated to the occurrence grammar S in Fig. 8. In the AES straight 
and dotted arrows represent causality and asymmetric conflict, respectively. In 
any configuration the event corresponding to qi is written as “i” . 



qi 




\ / \ ^ 

{ 3 . 4 } { 1 , 4 } { 1 , 3 } ^{ 1 , 2 } 



l: 

<?3 < Q2 > (?4 

(a) 



N ^ ^ ^ 

{ 1 , 3 , 4 } { 1 , 2 , 3 } { 1 . 2 , 4 } 

{ 1 , 2 , 3 , 4 } 

(b) 



Fig. 9. The (a) AES and (b) domain of configurations for 9 of Fig. 8. 
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4.3 Prom AES’s to Occurrence Grammars 



Any AES is identified with a canonical occurrence grammar, via a free construc- 
tion that mimics Winskel’s one. Given an asymmetric event structure A, the 
corresponding grammar has the events of A as production names, while the 
graph items are freely generated in order to induce the right kind of dependen- 
cies between events. More specifically, first the graph nodes are freely generated 
according to the dependencies in A. Then for any pair of nodes, edges connecting 
the two nodes are freely generated according to the dependencies in A and the 
specific restrictions of the SPO rewriting mechanism. 

Definition 18. Let A = {Ev,<,/') he an AES. The corresponding SPO occur- 
rence graph grammar, denoted by 3sTs(A) = {TG, P,n) , is defined as follows: 



— The type graph TG = {N, E, s, t) is defined as below, where A, B, . . . range 
over generic sets of events and x over sets of events of cardinality at most 1 
(singletons or the empty set). Moreover by x < e, if x = {e'} we mean that 
e' < e, while the relation trivially holds if x = % (i.e. 0 < e, for any event 
e). Symmetrically, by e < x with x = {e'} we mean e < e', while e < % is 
intended to he always false. 



Nodes: 




'ie € A[J B . X < e, 

X, A, B) : Wa G A. Wb G B. a Z' b, 

yb,b' GB.b^b' ^b / b' 



A^, Bfj G N , 

Ve G A U B. X < e, 

WaG A.WbG B. a Z b, 
yb,b' G B. bfi^b' ^b Z b' 

E = { {x,A,B,n\,nfi) ■. }; 

Xi < X for i G {1, 2} 

A G- Ai n A 2 

BC (AiUBi)n(A2US2) 

Ve* € B,. Zg < Xj) for i,j G {1,2}, i j ^ 

• Source and target functions: 

s{{x,A,B,ni,n 2 ))=n\ and t{{x,A,B,n\,n 2 ))=n 2 . 



— The set of productions P = Ev, and for any event e G Ev the corresponding 
production 7r(e) = ^ Re is defined as follows: 

• |Lg| = (n = (x. A, B), I = (x. A, B, ni, 712 ) \ e G AU B} 

• \Re\ = {n = {x, A, B), I ={x,A,B,m,n 2 ) \ e G xU A} 

The typing and the (partial) inclusion of Lg in Re are the obvious ones. 



A node in the type graph TG is a triple n = {x,A,B). The set x might 
contain the event which generates the node n or might be empty if the node is 
in the start graph, A is the set of events which preserve the node n and B is the 
set of events which consume n. Clearly, the event in x, if any, must be a cause 
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for every event in AU B, the events in A must be in asymmetric conflict with 
the events in B, and the events in B must be pairwise in conflict (represented 
as an asymmetric conflict in both directions, i.e., b y' b' and b' y' b). 

An edge in the type graph is a tuple I = (x,A,B,ni,n 2 ). The meaning of 
X, A, B is the same as for nodes. The components rii and ri 2 are intended to 
represent the source and target nodes of edge 1. They are subject to requirements 
which arise from the specific features of the SPO rewriting mechanism. First, 
Xi < X since the event which produces an edge must produce or preserve the 
source/target nodes. Any event which preserves the edge must also preserve the 
source/target, hence A C Ai n A 2 . Any event which consumes the edge must 
preserve or consume the source/target nodes, hence B C [Ax U Bi) n [A2 U B 2 ). 

Finally the nodes n\ and ri 2 must be allowed to coexist: the requirement 
Xi < X already ensures that ni and ri 2 are not in conflict. Moreover each node 
is asked not to causally depend on the events which consume the other one. 

We conclude with the main result, stating that the construction of the occur- 
rence grammar associated to an AES is functorial and left adjoint to £g, estab- 
lishing a coreflection between OGG and AES. For any AES A, £g(Ks(A)) = A 
and the component at A of the unit of the adjunction is the identity. 



Theorem 3 (coreflection between OGG and AES). The construction 'Ng 
extends to a functor that is left adjoint to £g. 



Roughly speaking, the proof shows that, given any AES A and occurrence graph 
grammar 0, all AES-morphisms / : A — *■ £s(0) uniquely extends to graph gram- 
mar morphisms / : Ffs(A) — *■ 0. The type span component of morphism / is 

TGjsf^(yi) ^ TGo ^ TGo, where fr maps any item in TGq to the only item in 
which induces analogous dependencies among the events. 

Summing up. Theorem 1 and Theorem 3 above give a chain of coreflections 
from the category SGG of semi-weighted SPO graph grammars to AES and 
Dom. The result can be extended to GG^, the category of general SPO gram- 
mars with restricted morphisms (having the right component in the type span 
which is mono), by exploiting Theorem 2 and observing that Ffg restricts to a 
well-defined functor : AES ^ OGG'^. The possibility of generalising the 
result to other categories of grammars with relational morphisms is still open. 




AES 









^ Dom 
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5 Conclusions 

We have defined a functorial concurrent semantics for SPO graph grammars, ex- 
pressed as a chain of corefiections leading from various categories of SPO gram- 
mars to the categories of AES’s and domains. The approach originally proposed 
by Winskel in the setting of Petri nets has been fully extended to SPO graph 
grammars, improving the previous proposals where some steps of the construc- 
tion were lacking, notably, in the case of the dpo approach, the functor from 
event structures to occurrence grammars. 

A natural question regards the possibility of using these results for the dpo 
approach. We have already mentioned that for dpo graph grammars, due to the 
presence of application conditions for rules, a more complex kind of event struc- 
tures, called inhibitor event struetures [1] was introduced to obtain a functorial 
semantics. In this way a functor mapping any occurrence dpo grammar to an 
lES can be defined, which, however it does not admit a left adjoint. Still an idea 
could be to view asymmetric event structures as a corefiective subcategory of 
inhibitor event structures and then to devise a construction which associates a 
canonical dpo grammar to any asymmetric event structure. 

The theory developed in this paper naturally suggests a notion of graph 
process for SPO grammars, which can be defined as a deterministic occurrence 
grammar with a morphism to the original grammar. We conjecture that these 
processes correspond exactly to the coneurrent derivations of [16], which in turn 
were characterised as special classes of graph grammars in [24] . 

The analogies between the first steps of the constructions for the SPO and 
DPO approaches (the proper unfolding constructions) suggest the possibility of 
developing a general theory of unfolding in abstract categories (e.g., high level 
replacement systems [10]). Some parts of the construction are rather concrete 
and not easy to recast in an abstract categorical setting, but still this represents 
a challenging topic of further investigation. 
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Abstract. In [6] it was shown that fibring could be used to combine 
institutions presented as c-parchments, and several completeness preser- 
vation results were established. However, their scope of applicability was 
limited to propositional-based logics. Herein, we extend these results to 
a broader class of logics, possibly including variables, terms and quanti- 
fiers. On the way, we need to consider an enriched notion of proof-calculus 
that deals explicitly with the substitution provisos that often appear in 
schematic inference rules. For illustration of the concepts, constructions 
and results, we shall adopt modal first-order logic as a working example. 



1 Introduction 

Working with several logics is the rule, in practice, to wit in knowledge repre- 
sentation and formal specification. Due to its intuitive simplicity and theoretical 
interest, the fibring mechanism for combining logics has deserved close attention 
[9, 3, 20, 25]. In [6], c-parchments were proposed for bringing fibring to the realm 
of institutions [10, 15, 11, 24], as an alternative to other approaches for combining 
institutions [16-18]. A major strength of fibring is the possibility to establish gen- 
eral transfer results from the logics being combined to the resulting fibred logic. 
Soundness and completeness preservation for propositional-based logics was also 
obtained in [6]. Herein, we extend these results beyond the propositional base. 

Recall that c-parchments, signature-indexed categories of c-rooms, are an 
evolution of [10, 17, 18] designed to promote a smooth characterization of fibring 
[20,25,5]. They differ from the model-theoretic parchments of [18] by endowing 
the algebras of truth- values with a Tarskian closure operation, rather than just a 
set of designated values. As shown in [6] , fibred c-parchments appear as colimits 
in the corresponding category. The proof-theoretic counterpart of c-rooms in [6] 
was played by a notion of calculus with schematic inference rules, fit for rep- 
resenting the Hilbert-style axiomatizations of propositional-based logics. Since 
these logics are usually structural, every instantiation of a schematic inference 
rule was allowed. However, if we want to represent more complex logics, we need 
to gain control over these instantiations. A paradigmatic example are the provi- 
sos in some of the axioms of first-order logic, e.g., requiring that a variable is not 

* This work was partially supported by FCT and FEDER, namely, via the Project 
FibLog POCTI/MAT/372 39/2001 of CLC. 
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free in a formula. The idea of making these side conditions explicit is not new 
[21], but the technique we shall use is improved along [7, 22]. This fine control of 
instantiations also has an impact on fibring, again characterizable by colimits. 
These aspects settled, we can study soundness and completeness transfer results 
in a broader context. As before [5], soundness preservation is immediate, by defi- 
nition of fibring. For completeness, we capitalize on the notion of fullness [25] for 
guaranteeing that the logics at hand have a sufficient amount of models. Under 
reasonable assumptions on the logics being fibred, their syntactic constructors 
and the properties of their proof-calculi, we also generalize the completeness 
preservation results of [6]. We illustrate fibring by providing a detailed analysis 
of modal first-order logic as a fibring of propositional modal logic and first-order 
logic, considering various choices for its semantics, and clarifying the importance 
of provisos and the applicability of the completeness results. 

In Section 2 we set up logic-parchments by recalling the details of c-parc- 
hments and introducing an improved version of proof-calculus. Section 3 is ded- 
icated to fibring. After an overview of fibred semantics, we proceed to the cate- 
gorial characterization of fibred logics, by understanding fibred deduction in the 
presence of provisos. A general soundness preservation result is also established, 
and the fundamental notion of fullness is introduced. In Section 4, we study 
completeness preservation under meaningful fullness requirements and reason- 
able assumptions on the syntactic constructors and the proof-calculi of the logics 
being fibred. We conclude by discussing the results obtained, their limitations 
and future work. 

2 Rooms and Parchments 

We consider, in turn, semantics, deduction, and finally logics. 

2.1 Semantics 

In the sequel, AlgSig^ is the category of many-sorted signatures S = (S,0), 
where S' is a set (of sorts) and O = {Ou}«eS+ is a family of sets (of opera- 
tors) indexed by their type, with a distinguished sort 4> € S (for formulas) and 
morphisms preserving it. We denote by Alg(A) the category of A-algebras and 
homomorphisms, and by cAlg(A) the class of all interpretation structures {A, c) 
with A a A-algebra and c a closure operation on \A\(j, (the carrier of sort 4>, intu- 
itively corresponding to the set of truth- values) . Recall that a closure operation 
c : pdAJ^) — >■ pdAJ^) is extensive, monotonic and idempotent, i.e., B C B^, 
B^ C [BLIB')^ and (B^)^ C B^. We use Ws to denote the free A-algebra (the 
word algebra), Form^ to denote the set |Wi;|0 of formulas, and |_]^ (for word 
interpretation) to denote the unique Alg(A)-homomorphism from We to a given 
A-algebra A. We use p, ip to denote formulas, and sets of formulas. Elements 
of lWi;ls are referred to as terms and denoted by t. Every AlgSig^-morphism 
h : Bi ^ IJ 2 has an associated reduct functor _\h : Alg(A'2) — >■ Alg(Ai). Note 
that = |/i(t)l.4 for each t G [kVuJs and ^2-algebra A. As usual, we over- 

load the notation and write h for word translation instead of UwejI), to denote 
the unique Alg(Ai (-homomorphism from Wei to WE 2 \h- 
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Definition 1 . A c-room is a pair TZ = {S,M) with E G jAlgSig^j and M C 
cAlg(A). A morphism of c-rooms from TZ\ = to T^-2 = (E2,M2) is an 

AlgSig^-morphism h ■. Ex ^ E2 such that {A\h, c) G M\ for every (A, c) G M2- 

Clearly, c-rooms and morphisms set up a category CPRoom, from which the 
category CPar of c-parchments is obtained by a simple Grothendieck construc- 
tion (see [6]). Namely, a c-parchment is a functor from any given category Sig of 
abstract signatures to CPRoom. Building on the cocompleteness of CPRoom, 
CPar is cocomplete [6]. A c-room TZ = (E,M) induces an entailmenA rela- 
tion defined by 'f’ if W.4 G {M.4 • f G for every (A, c) G M, 

where ‘P U {f/'} C Formj;. The following property holds: if h : TZ\ — >■ TZ.2 is 
a c-room morphism and tf then /i(^) Given a c-parchment 

R : Sig CPRoom and G G |Sig|, we denote simply by \=q. 

Example 1. A is a fixed set of variables. The c-parchment of first-order logic 
with equality is the functor FOLEq defined from the category Set''^“ x Set''^ 
of abstract signatures {F,P) of ranked function and predicate alphabets, by 
assigning to each (F,P) the c-room TZpoleq = {^FOLEq,M) such that: 

- EpoLEq = ({r, (/)}, O) with Or = X\J Fq, Orr^r = Fn for n > 0 , Oi-n0 = 

for n yf 2 , Or^^ = P2 U {=}, = {-■} U {Va; : x G A}, 0^2^ = {^}; 

— M contains all structures (A, c) obtained from (F, P)-interpretations {D,I) 
with P yf 0 , // : P" -)> P for / G P„, pi C P” for p G P„, by: \A\r = 
pAsg(^P), \A\^ = p(Asg(A, P)), where Asg(A, P) = is the set of as- 
signments xjx{h) = for X G A, fA{{ei)){h-) = //((e*(M))) for / G P, 
PA{{ez)) = {p : (e*(/r)) G pi} for p G P, =a (61,62) = {p : 6i(/x) = 62(1^)}, 
“•^(f) = Asg(A, P) \v, Vxa(v) = {m '■ p[x/d] G V for every d G P}, 
^a{vi,V2) = (Asg(A, P) \wi) Ui;2; c : pdAj^) pdAj^) is the cut closure 
induced by set inclusion: given V G pdAj^), = {u G \A\(f, : (H ^ r:} is 
the principal ideal determined by (P| V) on the complete lattice (pdAj^), P). 

The denotation of a formula is the set of all assignments for which it holds. 
First-order logic without equality can be obtained by omitting G=. 

Example 2. The c-parchment K of propositional modal logic is defined from the 
category Set of abstract signatures, by mapping each set PS of propositional 
symbols to the c-room TZk = (A^, M) such that: 

- Ek = ({<('}, O) with = PS, O00 = {□, -•}, 0,^20 = {^}; 

— M contains every (A, c) obtained from Kripke models {W, R, d) with FF yf 0 , 
R C W'^, 1? : PS -)> p(FF), by: |A|0 = p(VF); qa = i^iq) for q G PS, □.^(P) = 
{w : {w' : wRw'} C U}, -^(P) = W\U, ^^(Pi,P2) = (IF \ Pi) U P2; 
c : p(|A|,^) — >■ pdAI^) is the cut closure induced by P. 

The denotation of a formula is the set of all worlds where it holds. 

^ This is a local entailment relation. A stronger, global, entailment can also be defined 
by letting G'-p ip if G 0 ^ whenever {|p]yi : p G <?} C 0 *^ for every (A, c) G M. 
This terminology is borrowed from [ 5 ] and is reflected, below, by the separation of 
local and global rules in deduction-rooms. 
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2.2 Deduction 

As noted in [21], to represent the Hilbert-calculi of non-propositional-based log- 
ics we need a notion of schematic inference rule with a proviso delimiting its 
possible instantiations. From now on with any decoration, stands for a schema 
variable. Given S = (S,0) and s G S', we denote by Sg the set : k G INq} 
and let S = {S'„}sg 5 . We define the set of schema formulas Formx'(S') to be 
the carrier of sort </> in the free algebra with generators S. We use 
7,(5 to denote schema formulas, and F,A sets of schema formulas. Elements of 
|Wi;(S')|s are schema terms, denoted by 9. A schema substitution is a family 
a = {(Js : Ei.s — >■ |Wi;(E')|s}sgs, that extends freely to schema terms. We write 9(j 
for the corresponding instantiation. SSub(A') denotes the set of schema substitu- 
tions over S. If a maps each schema variable to a term without schema variables, 
we call it a (ground) substitution and denote it by p. Sub(A) denotes the set of 
all substitutions. Given h : S ^ S' , we use h{a) to denote {ho a) G SSub(A'). 
In the sequel, AlgSig 0 (A, _) denotes the class of all morphisms with domain S. 

Definition 2. A E-proviso is tt = {7Tft,}/jgAigSig^(i:, ), where tt/j C Sub(A') for 
each h : E ^ S' , such that p G 7r?i if and only if h!{p) G TTh'oh- 

Provisos make their behaviour explicit on signature changes, which is essen- 
tial when inference rules are translated to a richer language [7]. We denote by 
univ the universal A-proviso, univh = Sub(A') for : A — >■ S'. Given a A- 
proviso 7 T we denote by ir^ the component TTid^. Given h : E ^ S', we denote 
by h{Tr) the A'-proviso such that h{Tr)h' = TTh'oh- Given a G SSub(A) we denote 
by TTCT the A-proviso defined by = {p G Sub(A') : p o h{a) G tt^}. Note 

that for p G Sub(A), np = univ if p G tts, and 7rp = 0 if p ^ ttu. By analogy, we 
define a G ttu if ttct = univ. Given A-provisos tti and tt 2 we denote by tti fl 7 T 2 
the A-proviso such that (tti fl TT 2 )h = {T^i)h H {7T2)h- We say that tti C 7 T2 iff 
TTih. Q '^2h- A A-proviso 7 T is said to be insensitive to f if for every h : E ^ S' 
and any p, p' G Sub(A') that may only differ on p G tt/j if and only if p' G tt/j. 

Example 3. Recall Example 1 and let x G A. We define the following provisos: 

- nfv{ff^,x): given h, p G nfv{£^'^,x)h if h{x) does not occur free in p(^p^; 

- given h, p £ fts{S,'^,ff^,fff.,x)h if p(C^) is free for h{x) in 
p(Q) and p(^™) is p(Q) with all free occurrences of h{x) replaced by p(C^); 

- eqrep{q„i'^ ,x,y): given /i, p G eqrep{i'l,qf ,x,y)h if p(^™) is p{ffl) with 
some free occurrences of h{x), out of the scope of hl^y), replaced by h{y). 

Definition 3. A E-rule is a triple (A, (5, tt) with AU{(5} C Form 2 ;(A) finite and 
7T a A-proviso insensitive to all the schema variables not in A U {(5}. 

We represent r = (A, 6 , tt) by j : tt, or even : tt if A = { 71 , . . . , 7 „}. 

If the set of premises A is empty the rule is identified with its conclusion 5 and 
proviso 7 T and called a schema axiom. The translation of r by /i : A — >■ A' is the 
A'-rule h{r) = {h{r),h{S),h{Tr)). 

^ We mean that h{x) always occurs in the scope of h(f/x). If variables and quantifiers 
are maintained on translating via h, it means precisely that x occurs under Vx. 
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As in [20,25,5,6], we explicitly distinguish local from global inference rules 
(see Examples 4 and 5). The nature of this distiction shows up both on their 
diverse deductive roles and on their different soundness requirements, below. 

Definition 4 . A deduction-room (d-room, for short) is a triple T> = {S, IR, gR) 
where IR U is a set of A-rules such that ^if-rules have non-empty premises. 
A morphism of d-rooms from T>i = {Si,lRi, gRf) to T>2 = (A 2 , 5 ^ 2 ) i® ^ 

morphism h : Ei ^ S2 such that h{lRi) C IR2 and h{gRi) C gR^. 

Deduction-rooms and morphisms set up a category DRoom, from which 
the category DPar of deduction-parchments (d-parchments) is obtained by a 
Grothendieck construction, its colimits built from colimits in DRoom, as in [6]. 

Each T) = (A, IR, gR) induces a deducibility relation, built on top of a notion 
of theoremhood (the global counterpart of (local) deducibility). Let TU {i5} C 
Formi;(S') and tt be a A-proviso. We say that <5 with proviso tt is a schema 
theorem of T> generated from F, F i5 : tt, if there exists a finite sequence 
((5i, 7Ti), . . . , (<5„, 7T„) with S = Sn and tt C 7t„, such that for each i, either St € F 
and TTi = univ, or there exists a rule {Fr, Sr, tt^) G IRUgR and cr G SSub(A) with 
Fr-a = . ,Sj^} C : j < z}, 6i = Sr<J and TTi = (T^ji H • • • fl tt^,.) fl TTra. 

To simplify, we write <5 : tt if T = 0, or T <5 if tt = univ. Easily, for 
every cr G SSub(A): if F <5 : tt then Fa Sa : ira. In deductions, now, 
only IR-rules and schema theorems are allowed. We say that S with proviso tt 
is deducihle in T) from F, F \-j} (5 : tt, if there exist (5i, tti), . . . , (<5„, 7r„) with 

6 = Sn and tt C 7t„, such that for each i, either Si G F and TTi = univ, or 

Si : TTi, or there exists a rule (Fr,Sr,TTr) G IR and a G SSub(A) such that 

Fr-a = . ,Sjf,} C {(5j : j < i}. Si = Sra and TTi = H • • • fl TTj^) fl TTra. 

Simplified notation applies to \~xi, and the following also holds: if F hj) S : tt 
then Fa \~xi Sa : ttct. Given a d-parchment D : Sig — >■ DRoom, we denote each 
\-d(Q) by \-Q. The next structurality result is straightforward. 

Proposition 1 . Let h \ V ^ V he a d-room morphism. If F ^ then 
h{F) h{S) : hfrr), and if F \-j} S : tt then h{F) \-j31 h{S) : h{Tr). 

Example ). The d-parchment for first-order logic with equality is the functor 
FOLEq : Set'^” x Set®^ -G DRoom that maps each {F, P) to the d-room 
E>FOLEq = {EpoLEq, IR, gR), with SpoLEq defined as in Example 1 and: 

^R- ^ : univ 

^ (a ^ ^)) ^ ^ Q ^ ^ ^ 

^ ^ ^ O ■ univ 

(Va: (^^ ^ Cp) ^ ^ (Va: Cp) : ufv{^l, x) 

\/x (x = x) : univ 

(x = y)^ (^1 ^ Q : eqrepi^l, Q, x, y) 

: univ- 



: univ. 
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The shape of the fourth axiom is unusual. The usual notation that replaces 
by := t) and requires t to be free for x is fine, informally, but we make it 
precise with fts. Let us deduce Vx p{x) \~VpoLSq P(^)> with p a unary predicate. 

1 . {\/x p{x) , univ) Hypothesis 

2. {(\/x p{x)) ^ p{x),univ) Axiom 4 

5. {p{x),univ) MP rule: 1,2 

In step 2, we used the fourth axiom with substitution P 2 {^^) = Vx p{x), P 2 (?|) = 
p(x) and p2(Cr) = X. Easily, p 2 G and so 

^l,x)p 2 = univ. In step 3, we used MP with psi^^) = Vx p{x) and = 

(Vx p{x)) p{x). 



Example 5. The d-parchment for modal logic is K : Set — )■ DRoom, mapping 
each PS to T>k = {Ek, IR, gR), with Ek defined as in Example 2 and: 

(I ^l) ■ univ 

(a ^ ^ ^)) ^ ^ o ^ ^ ^ 

^ (0 ^ ^l) ■ univ 

a{e^^e^)^iae^^ae^):nmv 




2.3 Logics 

Often, we shall consider a c-parchment R : Sig — )■ CPRoom together with a 
d-parchment D : Sig — >■ DRoom such that, for each f2 G |Sig|, R{Q) and D{f2) 
share the same signature Ea- With <P U {ip} a set of formulas, we define: 

— D is sound for R if (P \- o ip implies \=q ip, for all 17; 

— D is weakly complete for R if \=q P implies \-q ip, for all 17; 

— D is finitely complete for R if <P finite and <Pi=n ip imply <1>\-q ip, for all 17; 

— D is complete forRif<Pi=f 2 ip implies d>\~a ip, for all 17. 

A A-rule r = (T, 5, tt) is said to be locally sound for (A, c) G cAlg(i7) if 
|(5p]^ G {|7p]yt : 7 G r}^, for every p G ns, and globally sound if G 0^ 

whenever {| 7 p ]_4 : 7 G T} C 0^, for every p G ns- If all the rules of a d-room 
27 are sound for all the structures of a c-room TZ, i.e., the rules in IR are locally 
sound and the rules in gR are globally sound, we say that the rules of 27 are 
sound for TZ. Obviously, if the rules of D{f2) are sound for 2?(17) for every 17, 
then the d-parchment D is sound for the c-parchment R [20,25,5]. 

Definition 5. A logic-room (l-room, for short) is a tuple C = {E, M,IR, gR) 
where TZ{£) = (E,M) is a c-room and 27(£) = {S,lR,gR) is a d-room with 
rules sound for TZ{L). A morphism of l-rooms from Ci to £2 is an AlgSig^- 
morphism h : Ei ^ E 2 such that h : TZ{Cfi) — >■ TZ{Cfi) is a morphism of c-rooms 
and h : 27(£^) -5- £>{£ 2 ) a morphism of d-rooms. 
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Logic-rooms and morphisms set up a cocomplete category LRoom. The cat- 
egory LPar of logic-parchments (l-parchments) is again obtained by a Grothen- 
dieck construction, and is also cocomplete (see [6]). We write l=£ and l-£ for 
and l”x)(£), and say that C is (weakly/finitely) complete when V{C) is, for TZ{C). 
By definition, all l-rooms are sound. Given a 1-parchment L : Sig — )■ LRoom 
and fi G |Sig|, we denote \=L(n) and simply by 1=^2 and \~q. 

In [20, 25] we have noted that fibring is very sensitive to the way logics are pre- 
sented, leading sometimes to the so-called collapsing problem [23]. Deductively, 
this difficulty can be dealt with by an appropriate use of provisos. Semantically, 
a way to deal with the possible trivialization of fibred logics is to require cer- 
tain fullness conditions, guaranteeing that the logics have “enough” models [25]. 
Given S G jAlgSig^j, let I C cAlg(27) be a class of intended structures. 

Definition 6. A 1-room C = {E, M, IR, gR) is full for X ii M contains every 
(A, c) G T for which the rules of T>{C) are sound. 

Although fullness seems to be a fairly strong requirement, making a 1-room 
full for I is a well-behaved operation. Given C = {E, M, IR, gR), its full version 
is £ = {E,M, lR,gR) with M = M U {(A, c) G X : V{C) is sound for (A, c)}. 
This definition easily extends to an endofunctor in LPar. More important is the 
fact that soundness and completeness carry over from £ to £. In general, we 
have that \~ c = C C (=£, meaning that can be weaker than (=£ but if 
that happens £ is closer to being complete. Later, in the context of fibring, we 
shall consider several interesting choices of intended structures. For now, we just 
consider the unrestricted class of all interpretation structures. 

Example 6. The 1-parchment FOLEq of first-order logic with equality maps each 
{F, P) to the room CpOLEq = {^foleq, M, IR, gR), with TZpOLEq = {^FOLEq, Af) 
and T>FOLEq = {EpoLEq, IR, gR) as in Examples 1 and 4, well known to be sound 
and complete [14]. Its full unrestricted version FOLEq considers, instead, the 
room £p0LE^ = {EpoLEq, M ,IR, gR) where M contains all structures making 
EpoLEq sound, and not just the usual structures of first-order logic already in 
M. By construction, FOLEq is also sound and complete. 

Example 1. The 1-parchment K of modal logic assigns Xk = {EK,M,lR,gR), 
with TZp = (Ek,M) and T>k = {^k,IR, gR) as in Examples 2 and 5, to each 
PS and is sound and complete [12]. The full unrestricted version K considers, 
instead, the room £^ = {Ek, M, IR, gR) where M is the class of all structures 
for which T>k is sound. Besides the Kripke structures in M, M also contains, for 
instance, all modal algebras. K is also sound and complete. 

3 Fibring 

We already know that colimits of parchments are built from colimits of rooms. 
As in [6], we characterize fibring using colimits, and so we concentrate just on 
rooms. Obviously, all the characterizations to follow can be immediately lifted 
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to parchments. When considering two rooms with signatures Ui = (Si,Oi) 
and U2 = {82,02), we assume that their fibring is constrained by sharing the 
sorts and constructors in their largest common subsignature Eq = {Sq, Oq), with 
So = S'in5'2 (it always includes 4>) and = Oi,iin02,ii) for u G Sq, according 
to the corresponding inclusions hi : Sq ^ Ei and h2 ■ Eq ^ ^2- Below, 
7^o = (Eo,Mo) with Mq =cAlg(i;o), E>o = (Ao,0,0) and Co = {Eo,Mo,%,%). 

The envisaged combined signature is E\®E2 = (S, 0 ) such that S = S1US2, 
with inclusions fi '■ Si ^ S, and U 02,u if u G S';!, Ou = Oi,u if 

u G Si^ \ Sq, with inclusions gi : Oi ^ O. Easily, Ei @ A2 is a pushout of 
{h^ : Eo -)> fo'Jie{i,2} in AlgSig^, with inclusions {fi,gi) : Ei ^ Ei ® E2- 
When So = {</>} and Oq = 0 we say that the fibring is unconstrained, and the 
construction corresponds to a coproduct in AlgSig^. The fibring of two c-rooms 
TZi = {El, Ml) and 1^2 = {E2,M2) is TZi®'R2 = {Ei @ E2,Mi @ M2), where 
Ml ® M2 is the class of all structures {A,c) G cAlg(T’i ® E2) such that both 
(A|(/i,gi), c) G Ml and c) G M2, i.e.. Mi @ M2 is obtained by joining 

together (Ai,Ci) G Mi and (A2,C2) G M2 with |Ai|s = |A2|s = |A|s for s G So, 
o_4^ = 0^2 = o_4 for o G Oo,u with u G and Ci = C2 = c. The fibring TZi ®'R,2 
is a pushout of {hi : TZo -G 7^i}ie{i,2} in CPRoom, as proved in [6], where a 
similar characterization for propositional-based proof-calculi, without provisos, 
was also given. To generalize the characterization, let T>i = {Ei,lRi, gR-^) and 
T>2 = {E2, lR2,gR2) be d-rooms and T>i ® V2 their fibring. 

Definition 7. T>i ®T>2 = {Ei @ E2, IRi @ lR2,gRi @ 5^2) where IRi @ IR2 = 
(/i,5i)(^^i) U {f 2 , 92 ){lR 2 ) and gR^ @ gR^ = (/i,5i)(5^i) U (/2, ff2)(ff^2)- 

Proposition 2. T>i ®T>2 is a pushout of {hi : Vo — >■ T’i}ie{i,2} in DRoom. 

Fibred l-rooms capitalize on the characterizations above but, first, we need 
to note that soundness of rules is preserved. Let Ci = {Ei,Mi,lRi, gRf) and 
£2 = {E2, M2, lR2,gR2) be 1-rooms and Ci ® C2 their fibring. 

Theorem 1. The rules ofV(C^) @ £’(£2) ^^e sound for TZ^C^) @ TZ^C^)- 

It is now safe to state the definition of fibred 1-room. 

Definition 8. £1 @ £2 = {Ei @ E2, Mi @ M2, IRi @ IR2, gRi @ 5.^2)- 

Proposition 3. £1 ® C2 is a pushout of {hi : £q — >■ £i}ie{i,2} in, LRoom. 

To see fibring interact with fullness, consider a system of intended structures 
Ti C cAlg(Ai), I2 C cAlg(A2), T C cAlg(Ai ® E2) satisfying a coherence 
requirement: if {A,c) G T then G Ii and {A\^^^ ^^^,c) G X2. The 

result below is an immediate consequence of the definition of fibring. 

Proposition 4. If Ci and £2 are full for Ii and I2 then £1 ® £2 is full for I. 

Example 8. We obtain a 1-room Cj^qjj^®Cj^ for modal first-order logic by fibring 
the full versions of modal and first-order logic of Examples 7 and 6. The combined 
signature EpoLEq @ Ek = {S, O) has: 
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~ S={t, (/)}, Or = XU Fo, Or^^r = for n > 0, = PS, 0,2^ = P2 U {=}, 

Orri^ = P„ forn > 0 and n ^ 2, = {-•, niUlVa; : x G X}, 0^2^ = {=J>}. 

Consider the usual interpretation structures of modal first-order logic with 
constant domain and rigid interpretation of symbols, i.e., the first-order compo- 
nent does not change from one world to the other. It corresponds to considering 
both a FOLEq interpretation {D, I) and a Kripke model (IP, R, i?). It is easy to 
see that among the structures of we can find the {A, c) such that: 

- |yl|, = ^ X Asg(X,P)); Xj^{w,ij) = ii{x), 

fA{{ei)){w,ii) = fi{{ei{w,n))), QA = -d(g) x Asg{X,D), PA{{ei)) = {(w,/i) : 
{e,{w,p)) G p/}, -.^(6) = (IP X Asg(A:,i:))) \ 6, ^^(^1,^2) = ((IP x 
Asg(X, £))) \ bi) U 62, Vx^(&) = {{w,p) : {w,pL[x/d\) G b for every d G D}, 
and □a(&) = {{w,d) : {(w',p) : wRw'} C &}; c : p{\A\^) p{\A\^) is the 

cut closure operation induced by 3. 

This structure makes all the rules of VpoLEq @ Rk sound, but other usual modal 
first-order semantic structures could be considered (see Example 9). But now, 
the reason why we considered the full versions is obvious: the structure above is 
in CpQj^ ® but certainly not in jCfoleq @ >Ck- 

4 Completeness 

Again we concentrate on l-rooms, since everything can be lifted to 1-parchments. 
The results in this section generalize [6] and make thorough use of the notion of 
fullness. The first result applies to 1-rooms full for the class of all structures. 

Proposition 5. If C is full for all structures then C is complete. 

Proof. The rules of V{C) are sound for (IVi;, c) with c = l-£. Thus, by fullness, 
the structure (IVi;,c) belongs to £. Suppose now that \f c p. To show that 

it is enough to note that |_]wi; is the identity on formulas. □ 

The system X\ = cAlg(Ai), I2 = cAlg(A2) and X = cAlg(Ai @ E 2 ) of 
intended structures trivially satisfies the necessary coherence requirement. 

Proposition 6. Fullness for all structures is preserved by fibring. 

The first completeness transfer result follows from Propositions 5 and 6. 

Theorem 2. If Ci and £2 are full for all structures then L\ @ £2 is complete. 

Although this result is a bit too syntactic (see the structure in Proposition 
5), its proof is enlightening. Reusing the technique of [25], we have shown that 
if a l-room has certain properties then it is complete (Proposition 5), and also 
that the relevant properties are preserved by fibring (Proposition 6). All the 
subsequent completeness preservation results follow the same pattern. 

We start by considering a reasonable syntactic restriction. A signature E = 
(S,0) is said to be plain if for every o G Ous with s ^ 4>, u £ {S \ {(j)})* . 
Plainhood of signatures prevents us from building terms using formulas. 
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Proposition 7. If Ei and S2 are plain signatures then so is Si® S2- 

A closure operation {A, c) is said to be elementary if for every ai , 02 G A, 
ai G {02}^ and 02 G {®i}^ imply ai = 02- Clearly, the structure in Proposition 5 
is not elementary. Let us take as intended the class of all structures whose closure 
is elementary. The corresponding system of intended structures clearly fulfills the 
coherence requirement and fullness for this class is preserved by fibring. 



Proposition 8. Fullness for elementary structures is preserved by fihring. 



The following characterizations are a simple reformulation from [25,6,5]. A 
d-room T> over S = (S', O) is said to have implication if there exists G 0^20 

satisfying: (i) hj, ^ ^1, (ii) ^1,^1 ^ hi, fl, (iii) hi, ^ (iv) for 

each (T, 5 , tt) G IR and Q not in T U {5}, => 7 : 7 G T} hi, 5 : tt. 

In the sequel, T> is said to be formula- congruent if it has implication and 
we have that, for every o G Osi...s„0 and Si = (^, Q ^ ^ C4, 

, ■ ■ • , e:_\ , ’ • ■ ■ - CJ ^ , • ■ • , er_\ , Ct \ , • • • , CJ- The next 

result follows from Proposition 1. 



Proposition 9. If T>i and T>2 are formula- congruent and share an implication 
then T>i @ T>2 is formula- congruent. 

We are now able to present the following completeness result. 

Proposition 10. If L is full for elementary structures, has a plain signature, 
and T>{L) is formula- congruent then C is complete. 

Proof. Let S be the signature of £. Easily, defined on |Wi;|0 by ipi <p2 if 
{h’l} '^C P2 and {1^2} \~c ‘hi is an equivalence. Since T>{C) is formula-congruent 
and S is plain, == {=s}gg5 with =« the identity if s yf (() is a congruence on 
yVs. Let us consider the Lindenbaum-Tarski structure (Ws/^, c), with c defined 
by {[ip] : %p G : S' \~c f’'}- Clearly V{C) is sound for (>Vi;/=,c), 

which is elementary and, by fullness, belongs to C. Suppose that, <I> \/c p. The 
structure just built shows that tp- C 

Theorem 3. If Li and £2 are full for elementary structures. Si and S2 are 
plain, and H{Li) and £’(£2) are formula- congruent and share an implication 
then Cl @ £2 is complete. 

Let us try to improve this result. In logic, algebras of truth- values are often 
partially ordered. Every partial-order (A, <) induces two polarities Upp(i3) = 
{a G A : 6 < a for every b G B} and Low(i?) = {a G A : a < 6 for every b G B}, 
and a cut closure operation on A defined by B^ = Upp(Low(B)) [2]. Partial- 
order structures are precisely those whose closure operation fulfills this condition. 

Proposition 11. Fullness for partial-order structures is preserved by fibring. 

We can now present the following preservation results. 

Proposition 12. If L is full for partial-order structures, has a plain signature, 
and T>{C) is formula- congruent then £ is weakly complete. 
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Proof. The proof is similar to Proposition 10 , but with a different closure. Note 
that [<^i] < [ip2] if be defines a partial-order on \We/=\(I>- Consider the 

structure (Wi;/=,c) where c is the cut closure induced by <. Let us check, in 
this less trivial case, that the structure makes the rules of T>{C) sound. Consider 
a rule r = : tt and fix a substitution p G tte- Assume that r is an Crule. 

Since L]wi:/= = [_]> we need to show that [ 5 p] G {[yip], . ■ . , [inp]}^ ■ Let (p be 
a formula such that [ip] < [yip] for i = 1 , . . . ,n. This means that \~c P ^ liP 
for each i. Using requirement (iv) of implication, {Q 7^ : z = 1 , . . . , n} l-£ 
(5 : TT for Q not in r. Consider p' G Sub(A) such that p' equals p, except 
that p'{^^) = (p. Clearly, = y^p' and Sp = Sp'. Moreover, tt is insensitive to 
and p' G tte- By the structurality of deducibility and the fact that irp' = univ, 
{(p 7ip : z = 1 , . . . , n} l-£ (p ( 5 p. So l-£ (p Sp, or equivalently, [tp] < [< 5 p], 
and the /-rule is sound. Assume now that r is a p-rule. We need to show that 
{[yip], . . . , [ynp]} C 0 ^ implies [Sp] G 0 ^. Easily, 0 ^ has precisely one element, 
the equivalence class of formulas ip such that l-£ ip. If l-£ ^ip for each i, then 
by using r, we conclude that \~c Sp and the p-rule is sound. By fullness, the 
structure belongs to TZ{C). So, if \/c 'f’ this structure shows that f’- C 

Theorem 4 . If Ci and £2 full for partial-order structures, Si and S2 are 
plain, and T’(£i) and £’(£2) ure formula- congruent and share an implication 
then £1 ® £2 is weakly complete. 

A little improvement is still possible. A d-room T> over S = {S, 0 ) is said 
to have conjunction if there exists A G 0^20 such that: (i) A Ld (ii) 
p^^2^ (jjj) ^i^^2 Gj,e^Ae^. 

Proposition 13 . IfT>i orT>2 have conjunction then so has T>i ®T>2- 

Proposition 14 . If C is full for partial-order structures, has a plain signature, 
and T>{C) is formula- congruent and has conjunction then £ is finitely complete. 
Proof. Consider the structure of Proposition 12, and suppose {ipi, ■ . . , 'Pn} if c V'- 
With (p = <pi A . . . A (p„, it is trivial that l-£ (p => <Pi for each i. Easily, it is also 

the case that \f and the structure shows that {ipi, ■ . ■ , Pn} fc f’- C 

Theorem 5 . If £1 and £2 are full for partial-order structures. Si and S2 are 
plain, £’(£1) and £’(£2) are formula- congruent, share an implication, and one 
of them has conjunction then Li @ £2 is finitely complete. 

All the previous results are still valid if we concentrate only on structures 
providing a standard interpretation of equality, when it exists. A signature S = 
{S, O) G jAlgSig^l is said to have a system of equalities if, for every s G S' \ {(/!)}, 
there exists =G O«2 0. The existence of equality symbols is preserved by fibring. 

Proposition 15 . If Si and S2 have systems of equalities then so has Si® S2. 

If S has a system of equalities, then (A, c) G cAlg(A) is said to be standard 
for equality if: (i) if ai =_a. 02 G 0 ^ then ai = 02, (ii) for T C the 

congruence =t on A generated by Rt = {(01,02) : Oi =_^ q2 G T^} is such 

that =T,s= Rt n (|A|s x |A|s) for s (p. The conditions mean that c captures 
precisely the congruence imposed by the equalities. 
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Proposition 16 . Fullness for standard structures is preserved by fihring. 



Now, of course, we should require a similar standard treatment of equality 
at the deductive level. A d-room T> = {S, IR, gR) is said to have equality if 
S has a system of equality symbols and the following hold: (i) \~xi 
(ii) = ?? = Ci. (iii) Ci = Cl = Cl. (iv) for every 

o € Osj s„s with s ^ (j) and every i G {1 , . . . ,n} with Si yf 4>, Cs = Cl 

0(C1,. ■ ■ • ,Cl 7 _\,Cl„Cii\, ■ • ■ ,C7J = o(Cl,. ■ ■ • ,C17_\,C° ,Cii\, ■ • • ,C7j‘ and'last 

but not least (v) for every o G s 0 and every i G {1, . . . ,n} with Si yf (j>, 

Cl,=C°,o(Cl,.. 



«-i « P+1 PI 

SSi_i 1 Ssi 5 SSi+1 5 • • • 5 SSn, / ' ^ '-'VSsi 5 • • • 5 SSi_l 5 Ss^ 5 SSi+l 1 1 Ss^i 



Proposition 17 . IfDi and T>2 have equality then so has T>i ®T>2 



We can now state the following completeness result. 

Proposition 18 . If L is full for standard elementary structures, has a plain 
signature, and is formula- congruent and has equality then L is complete. 

Proof. For each s G S'\{^}, =s such that p =« t2 if \~c ti = h is an equivalence 
on |yVi;|s. Considering == {=s}sgs with as in Proposition 10, and noting 
that T>{C) has equality, we conclude that = is a congruence on Ws- Consider 
iyVs/=,c), with c defined as in Proposition 10. The structure makes V{C) 
sound and is elementary. We now prove that it is standard for equality. Given 
[^i], [^2] G |>Vi;/=|s, if [ti] =w£/= [^2] G 0^ then \~c h = t2 and, by definition 
of =s, ti =s t2 and [fi] = [t2]. Given T = {[ip] : ip G I'} C \We/=\4> and Rt = 
{(01,02) : oi =Ws/= 0-2 G T^}, let Rt,.s = i?Tn(|A|s x |A|s) for each s (p and 
recall that = {[ip'] : <F Fdi@d2 ip'{. Consider the congruence =t generated 
by Rt. By definition, Rt^.s '^=t,s- Since V{C) has equality, it is easy to see that 
Rt,s is an equivalence and ([o(ti , . . . ,U, . . . , t„)], [o(p, . . . , t', ■ • • . tn)]) G Rt,s 
for each o G Osi...s„s with s =/= (p (and, since S is plain, each st yf (p) whenever 
([C], [i'i]) G Rr.si- So, =T,sPP Rt,s, (kVi;/=,c) is standard and belongs to £, by 
fullness. As before, if <P \/c Fj (Wi;/=, c) clearly shows that C 

Completeness preservation results for elementary, or partial-order, structures, 
assuming herein that they are also standard for equality, easily follow. 

Theorem 6 . If Ci and £2 are full for standard elementary structures. Si and 
S2 are plain, and R{Ci) and £’(£2) are formula- congruent, with equality and a 
shared implication then £1 @ £2 is complete. 



Theorem 7 . If L\ and C2 are full for standard partial- order structures, Ei and 
S2 are plain, and £’(£1) and £’(£2) are formula- congruent, with equality and a 
shared implication then £1 @ £2 is weakly complete. 

Theorem 8 . If L\ and C2 are full for standard partial- order structures, Ei and 
E2 are plain, £’(£1) and £^(£2) are formula- congruent, with equality, a shared 
implication, and one of them has conjunction then £1 @ £2 is finitely complete. 
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Example 9. In Example 8 we obtained a system of modal first-order logic by 
fibring full versions of propositional modal logic and first-order logic. It is well 
known (e.g., [12]) that the structures considered therein make both the Barcan 
formula (Va;(n^ 0 )) (□(Vx^p) and its converse (□(VxQ)) (Vx(DQ)) sound. 

However, although the latter is deducible from VpoLEq ® E>k, the former is not. 
Since our completeness preservation results apply, ^ j?oLEq ® ^77 complete and 
must contain structures where the Barcan formula fails. This is the case for the 
expanding domains interpretations of [12], with an extra component Q \ W ^ 
p{D) that assigns to each world a domain of interpretation such that if wRw' 
then Q{w) C Q{w'). We denote by D^, the set Q{w), by Asg(X, !?)„, the set 
of assignments in Dyj, and by U the set {{w,iJ,) : w £ W and p. £ Asg(X,E)w}. 
Then, (A, c) is defined just as in Example 8, considering Ar = , A(f, = p{U) 

and Vx^(&) = {{w, p) : {{w, p,[x/d\) : d £ Ew} Q b}- 

One important aspect of the structures considered so far is that the inter- 
pretation of symbols is rigid. However, if we consider flexible symbols, we must 
proceed with caution. As noted for instance in [22], some axioms of FOLEq do not 
behave well in the presence of flexible symbols. Consider the following instance 
of the fourth FOLEq axiom, (Vx ((c = x) 0(c > x))) ((c = c) 0(c > c)), 

where c is a flexible symbol and > is an irreflexive ordering. It is easy to find a 
structure that falsifies the formula. The problem arises when we try to replace 
a variable by a flexible term (in this case c) in the scope of a modality. One way 
to avoid this problem is to strengthen the proviso as follows: 

- is such that, given h : UpoLEq E' , p £ /te(Q, , x)?, 

iff p{^r) foi' b-{x) in p(Q) and results from p{^^) by replacing by 

the free occurrences of h{x). Plus, if p{^r) is a EpoLEqAerm, then no 
free occurrence of h{x) can appear in the scope of a A' \ ft,(AFOLEq)-symbol. 

In our example, this means that no term of EpopEq may be replaced in 
the scope of a modality. This change has no impact whatsoever on first-order 
logic per se, but makes a huge difference when we combine it with modal logic. 
Likewise, the fifth axiom in VpoLEq must also be changed to prevent p{^^) to 
contain modalities. If we consider equality, eqrep must also be changed so that 
[13]: “if X occurs free in the scope of a modal operator, then either all or no 
occurrence of x may be replaced by y” . With these changes, the corresponding 
fibred system includes structures {A, c) defined from (IT, R, d, D, Q, I) with // = 
{fi,w ■ -£ D^}^(zw for / G E„, and pi = {pi,w}w(^w with pp^ C A” for 

P G -Pn, by letting: 

- fA{{o)){w,p) = fpw{{o{w,p))), pj^{{ei)) = {{w,p) : {ei{w,p)) £pi,w}- 

However, after changing the provisos, the converse Barcan formula is no 
longer deducible (see [13]). According to the completeness results, the class of 
fibred models must now contain structures falsifying it. The structures of [22] are 
general enough to provide such counterexamples. Consider (IT, R, 'd, D, I) where 
R = with each C IT^, fj = {//_„ : D” -)> for / G F„, 

and Pi = {pi^w}w&w with pp^ C £)” for p G Pn- Letting U = W x Asg(A, D), 
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and for each b C U, = {w : G b for some /x} and 6^ = {/x : (w,/i) G 

b for some w} we define {A, c) by: 

- \A\r = D^, \A\^, = p{uy, XA{w,fi) = fi{x), /^((e*))(w,/x) = //,™((e*(w, ^))), 

QA = i^iq) X Asg(X,L»), PAiiei)) = : {ei{w,p)) G ppn,}, Va;^(6) = 

: l^[x/d\ G b^ for every d G D}, □^(6) = [jf,ebj{w,p) ■ {w' : 

wR^w'} C buj}- 

Of course, these are just examples of structures obtained in the fibred system. 
Due to fullness, it should contain many others. 

5 Conclusion 

We have extended the restricted propositional-based setting of [6] to the fibring 
of logics also admitting variables, terms and quantifiers. Along with the semantic 
dimension provided by c-parchments, we have adopted an improved notion of 
Hilbert-style calculus with explicit control of schema rule instantiations, follow- 
ing [7, 22] . Besides a detailed account of modal first-order logic as a fibring, we 
have also reused the technique of fullness from [25] to provide a smooth gen- 
eralization of the completeness preservation results of [6] to this more general 
context. The techniques used include congruences and Lindenbaum-Tarski alge- 
bras, together with assumptions on the existence of suitable logic constructors. 

A word is due on the relationship between our work and Pawlowski’s [19]. 
Indeed, the context information provided by his inference systems presentations 
can be seen as an alternative way to achieve the same kind of control over 
schema rule instantiations, leading to a setting where schema variable substitu- 
tions are restricted accordingly. Pawlowski’s approach is certainly more abstract 
and systematic, namely in the sense that it tends to treat logical variables and 
schema variables in a uniform way. However, his claim that, thanks to context 
information, he can express and manipulate inference rules “without referring to 
binding operators or requirements” is a little misleading. Context information 
is certainly present in his framework from the very beginning, but his inference 
rules are still decorated with additional relevant context information regarding 
schema variables. This information is strongly related to our provisos. Of course, 
the provisos seem to be more complex since they have to carry over on signa- 
ture changes. However, this is due to the fact that all the context information 
is placed exactly where we really need it: the inference rules. Moreover, note 
that our provisos are sufficiently general to take into account the scope of modal 
operators (c.f.. Example 9). Binding operators like modalities, very different in 
nature from quantifiers (namely on the absence of any explicit reference to logical 
variables), seem to be a good challenge to Pawlowski’s notion of context, which 
is directly built around variables. Last but not least, the incomplete deductive 
system for first-order logic with equality that he obtains by combining first-order 
logic and equational logic is certainly to be expected and does not contradict the 
completeness preservation results presented herein. Note that, on the one hand, 
equational logic does not come with an implication connective (thus barring the 
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application of Theorems 3 to 8), and on the other hand, fullness would require 
considering also semantic structures for equational logic whose interpretation 
of equality would not be the standard (also ruling out Theorem 2). In fact, we 
could as well have mentioned this example to motivate the difficulties involved 
in preserving completeness, and to stress the importance of obtaining non-trivial 
sufficient conditions for completeness preservation as the ones we have presented. 

Despite all the results obtained so far, the challenge of combining logics is still 
far from over. Regarding fibring, specifically, one interesting line of research to 
pursue is a comprehensive comparison to Diaconescu’s Grothendieck institutions 
[8]. Another important subject that needs further investigation is the collapsing 
problem. In this paper we have avoided the problem by making a careful use 
of fullness. However, in general, fibring logics of very distinct nature can give 
rise to trivialities. In [23] modulated fibring was presented as a first solution to 
this problem, using adjunctions between orders on truth-values. Work already 
in progress aims at solving the same problem using simpler machinery, via the 
novel notion of cryptofibring . Other interesting lines of research require a deep 
understanding of the process of algebraization of logics, putting in context the 
notion of fullness and the role that it plays in the completeness results, bringing 
us closer to the rich field of algebraic logic [4, 1]. We are also interested in studying 
the representation of fibring in logical frameworks, by capitalizing on the theory 
of general logics [15]. Finally, future work must also cover transfer results for 
other relevant properties, like decidability, complexity or interpolation. 
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Abstract. We present a pattern-based software lifecycle and a method that sup- 
ports the systematic execution of that lifecycle. First, problem frames are used to 
develop a formal specification of the problem to be solved. In a second phase, 
architectural styles are used to constmct an architectural specification of the soft- 
ware system to be developed. That specification forms the basis for fine-grained 
design and implementation. 



1 Elaborating the Software Development Process 

Experience has shown that problems and bugs in software systems take their source 
mainly in the early phases of the software development process ^ Hence, a software 
development lifecycle that derives the design of the software directly from the require- 
ments and then passes on to the implementation cannot be regarded as satisfactory. The 
step between requirements and design is too large. 

An additional phase should be introduced between the requirements and the design. 
One idea that has been accepted for some time now is that some kind of specifica- 
tion should be set up on the basis of the requirements, so that the requirements are 
transformed into documents useful for developers. Specifications lead to a deeper un- 
derstanding of the problems to be solved, and they can be used to support other devel- 
opment activities (e.g. coding, testing, maintenance). However, producing appropriate 
specifications often turns out to be difficult for practitioners. For instance, finding an 
appropriate starting point for the formal specification process is a very common prob- 
lem. 

M. Jackson [Jac95,Jac01] proposes the use of problem frames for presenting and un- 
derstanding software development problems. A problem frame is a characterization of a 
class of problems in terms of their main components and the connections between these 
components. A set of typical solution methods is associated to each problem frame. The 
basic idea is that once an appropriate problem frame for a given problem is found, we 
also have good proposals for constructing a solution to that problem. We think this idea 

* See for example http://www.standishgroup.com/sample_research 
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[ choice of problem frame ] [ choice of architecture 1 



Requirements 



Specification 



Design 



Code 



Fig. 1. Lifecycle using problem frames and architectures 



{Architectural Choices] 




Fig. 2. Complete lifecycle using problem frames and architectural styles 



is useful, but it provides only a coarse structure of the problem. Hence, problem frames 
should be supplemented by means that allow for a finer structuring. 

Architectural styles [SG96,BCK98] are a means to structure a software system, i.e. 
to choose its architecture. Since architectural styles are used to construct designs, they 
should not be used right at the beginning of the development process, but only after the 
problem has been fully understood and specihed. Figure 1 shows how to bridge the gap 
between the requirements and the design of a software system. It is possible to elaborate 
the software development lifecyle further, as suggested in Figure 2. Here, several phases 
are introduced between the requirements and the design of a software system. 

Problem frames and architectural styles are both forms of patterns. While problem 
frames are concerned with problems, architectural styles are concerned with solutions. 
Hence, with Figures 1 and 2, we propose a pattern-based software lifecycle. Patterns 
should be used systematically and on different levels of abstraction. 

In the following, we show how the steps from an informal requirements description 
to an architectural specification shown in Figure 2 can be carried out in a systematic 
way. This work further elaborates the approach by Choppy and Reggio [CROO], where 
problem frames are used to structure formal specifications. 

We first discuss how patterns can be used on different abstraction levels and in dif- 
ferent phases of the software development process in Section 2. Section 3 presents a 
method to carry out pattern based formal development in a systematic way. The appli- 
cation of that method is illustrated by the case study of a robot simulation in Section 
4. In Section 5, we summarize our work and also discuss related work that aims at 
methodological support for developing formal specifications. 



2 Patterns for Different Software Development Activities 

Patterns are a means to reuse software development knowledge on different levels of 
abstraction. Patterns classify sets of software development problems or solutions that 
share the same structure. 

Patterns have been introduced on the level of detailed object oriented design 
[GHJV95]. Today, patterns are defined for different activities. Problem Frames [JacOl] 
are patterns that classify software development problems. Architectural styles are pat- 
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Fig. 3. Frame diagrams 



terns that characterize software architectures [SG96,BCK98]. They are sometimes 
called “architectural patterns”. Design Patterns are referred to as “micro-architectures”, 
wYiiXs frameworks are considered as less abstract, more specialized. Finally, idioms are 
low-level patterns related to specific programming languages [BMR+96], and are some- 
times called “code patterns”. 

Using patterns, we can hope to construct software in a systematic way, making use 
of a body of accumulated knowledge, instead of starting from scratch each time. In the 
following, we briefly introduce problem frames and architectural styles, which will be 
used in our method. 

2.1 Problem Frames 

Jackson [JacOl] describes problem frames as follows: 

A problem frame is a kind of pattern. It defines an intuitively identifiable prob- 
lem class in terms of its context and the characteristics of its domains, interfaces 
and requirement. 

For each problem frame, a frame diagram is set up (cf. Figure 3), which contains the 
different parts involved. Plain rectangles denote application domains. The characteris- 
tics of these domains play an important role in the application of a problem frame to a 
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problem. A problem frame features also a machine domain denoted by a rectangle with 
a double vertical stripe, and a requirement denoted by a dashed oval. The connecting 
lines represent interfaces that consist of so-called “shared phenomena”. 

Jackson distinguishes causal domains that may control some shared phenomena 
(e.g. events) at the interface with another domain, biddable domains (people), and lex- 
ical domains that are physical representation of data. Causal phenomena (e.g. events) 
are caused or controlled by some domain, and can cause in turn other phenomena. Sym- 
bolic phenomena (e.g. values) can be changed, but cannot change themselves or cause 
changes elsewhere. 

Jackson [JacOl] defines five basic frames (that are variants of those given in 
[Jac95]). These (and a sixth derived problem frame) are briefly presented below. For 
each problem frame, we quote the description given by Jackson [JacOl] (see also Fig. 3). 

Required Behaviour “There is some part of the physical world whose behaviour is to 
be controlled so that it satisfies certain conditions. The problem is to build a machine 
that will impose that control.” The “C” in the frame diagram indicates that the domain 
Controlled domain must be causal. The machine is always a causal domain (so an ex- 
plicit “C” is not needed). The notation “CMICI” means that the causal phenomena Cl 
are controlled by the Control machine CM. The dashed line represents a requirements 
reference, and the arrow shows that it is a constraining reference. 

Commanded Behaviour “There is some part of the physical world whose behaviour is 
to be controlled in accordance with commands issued by an operator. The problem is 
to build a machine that will accept the operator’s commands and impose the control 
accordingly.” The “B” indicates that the domain Operator is a biddable domain, and 
the phenomena E4 are the operator commands. 

Transformation “There are some computer-readable input files whose data must be 
transformed to give certain required output files. The output data must be in a particular 
format, and it must be derived from the input data according to certain rules. The prob- 
lem is to build a machine that will produce the required outputs from the inputs.” The 
“X” indicates that Inputs and Outputs are lexical (inert) domains. 

Workpieces “A tool is needed to allow a user to create and edit a certain class of com- 
puter processable text or graphic objects, or similar structures, so that they can be sub- 
sequently copied, printed, analysed or used in other ways. The problem is to build a 
machine that can act as this tool.” 

Information Display “There is some part of the physical world whose states and be- 
haviour is continually needed. The problem is to build a machine that will obtain this 
information from the world and present it at the required place in the required form.” 
Here, the purpose of the machine is to display things that happen in the real world. Both 
domains are causal. Y4 are symbolic requirement phenomena. 

Commanded Information is derived from the Simple IS frame [Jac95]. There is some 
part of the physical world whose states and behavior are needed upon requests from an 
operator. The problem is to build a machine that will obtain this information from the 
world and present it at the required place in the required form. 

Let us note that these problem frames do not cover every conceivable problem class. 
Some more problem frames have been identified by Souquieres and Heisel [SHOO]. 
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2.2 Architectural Styles 

According to Bass, Clements, and Kazman [BCK98], 

the software architecture of a program or computing system is the structure or 
structures of the system, which comprise software components, the externally 
visible properties of those components, and the relationships among them. 

Architectural styles are patterns for software architectures. A style is characterized by 
[BCK98]: 

- a set of component types (e.g., data repository, process, procedure) that perform 
some function at runtime, 

- a topological layout of these components indicating their runtime interrelation- 
ships, 

- a set of semantic constraints (for example, a data repository is not allowed to change 
the values stored in it), 

- a set of connectors (e.g., subroutine call, remote procedure call, data streams, sock- 
ets) that mediate communication, coordination, or cooperation among components. 

Important architectural styles are the following: 

- Data-Centered with substyles Repository and Blackbord 

- Data Flow with substyles Batch Sequential and Pipe-and-Filter 

- Virtual Machine with substyles Interpreter and Rule-Based Systems 

- Call-and-Return with substyles Main Program and Subroutine, Layered, Object- 
Oriented or Abstract Data Types 

- Independent Components with substyles Communicating Processes and Event 
Systems (implicit/explicit invocation) 

When choosing an architecture for a system, usually several architectural styles 
are possible, which means that all of them could be used to implement the functional 
requirements. Which architectural style is the most appropriate must then be decided 
using non-functional criteria such as efficiency, scalability, or modifiability. How such 
a choice is made is illustrated in Section 4. 

2.3 Design Patterns 

Design patterns [GHJV95] are used on a lower level of abstraction than problem frames 
or architectural styles. They provide concrete means to combine objects, or classes, 
respectively. In our overall software lifecyle, they would be used after an architectural 
style has been chosen. This step is beyond the scope of this paper. 



3 An Agenda for Pattern-Based Specification and Design 

We now present our method for carrying out a pattern-based software lifecycle as shown 
in Figures 1 and 2. As a means of presentation, we use the agenda concept [Hei98]. An 
agenda is a list of steps or phases to be performed when carrying out some task in the 
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Table 1. Agenda for pattern-based specification 



No. 


Description 


Result 


Validation 


1. 


Fit the problem into an ap- 
propriate problem frame. 


Instantiated 
frame dia- 
gram 


All important issues of the problem must be 
treated adequately, see also [JacOl]. 


2. 


Set up a formal specifica- 
tion for each domain of 
the instantiated frame di- 
agram (including the ma- 
chine domain) and the re- 
quirements. 


Set of formal 
specifica- 
tions 


- The specification must be coherent with 
the instantiated problem frame diagram. 

- The shared phenomena must belong to the 
interfaces of all domains where they are 
visible. 

- Control of phenomena must be taken into 
account. 

- The specification S of the machine do- 
main (in combination with the domain 
knowledge D) must suffice to satisfy the 
requirements R, i.e., S A D ^ R must 
hold. 


3. 


Choose an appropriate ar- 
chitectural style for stmc- 
turing the machine do- 
main and instantiate it. 


Architectural 
diagram and 
informal text 


The chosen architecture must be able to satisfy 
the machine specification. 


4. 


Set up a formal specifica- 
tion of all components ob- 
tained in Step 3 and of the 
overall system (i.e., spec- 
ify how the components 
cooperate). 


Set of formal 
specifica- 
tions 


- The formal specification must correspond 
to the architectural diagram. 

- The overall specification must be a refine- 
ment of the machine specification devel- 
oped in Step 2. 

- The constraints imposed by the chosen 
architectural style must be satisfied. 



context of software engineering. The result of the task will be a document expressed in 
some language. Agendas contain informal descriptions of the steps, which may depend 
on each other. Agendas are not only a means to guide software development activities. 
They also support quality assurance, because the steps may have validation conditions 
associated with them. These validation conditions state necessary semantic conditions 
that the developed artifact must fulfill in order to serve its purpose properly. 

Table 1 shows an agenda that precisely describes how to carry out and validate the 
first steps of the lifecycle proposed in Figure 2. A precondition for the applicability of 
the agenda is that the problem is sufficiently small that it may be fitted into one problem 
frame. Complex problems have to be decomposed first, for example by projection, as 
described by [JacOl]. 

Step 1 of the agenda is performed in principle as described by Jackson [JacOl]. 
To find the right problem frame, the structure of the frame diagram and the domain 
characteristics as described in Section 2. 1 must be taken into account. However, this 
is not as straightforward as it might seem, because we first need to choose between 
possibly different viewpoints on the problem. For instance, the choice of taking into 
account a user/operator influences the choice of problem frame, and it also changes the 
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Table 2. Problem frames and related architectural styles 



Problem Frame 


Architectural Style 


Required Behaviour 
Commanded Behaviour 


Communicating Processes, 
Event/ Action, Process Control 


Transformation 

Workpieces 


Repository, Batch Sequential, Pipe and Filter, 

Virtual Machine, Layered, ADT/00, Event Systems 


Information Display 
Commanded Information 


Repository, 

Blackboard 



characteristics of the domains and phenomena. We think it is worthwhile to examine 
for each problem frame whether we find a meaningful instantiation of it or else a clear 
reason why not. 

Once the choice of a problem frame is made, we rely on the structure provided 
by the problem frame to proceed and establish a corresponding formal specification 
[CROO]. 

Step 2 uses the instantiated frame diagram from Step 1 that determines the structure 
of the formal specification to be set up. For each box in the instantiated frame diagram, 
a specification must be given. The validation condition “coherence of the instantiated 
frame diagram and specification” means that the phenomena at the interfaces of the 
requirements box must be used in expressing the requirements. Moreover, the shared 
phenomena that are given in the instantiated problem frame must belong to the inter- 
faces of the respective domain specifications. A domain which is in control of a shared 
phenomenon must be able to produce that phenomenon as an output, and a domain 
which is able to observe a phenomenon of which it is not in control must be able to take 
the phenomenon as an input. The domain knowledge D mentioned in the last valida- 
tion condition of Step 2 refers to the specification of the application domains, i.e. the 
domains of the instantiated problem frame other than the machine domain. 

Step 3 uses the specification of the machine domain developed in Step 2. This spec- 
ification describes the machine to be developed, whose structure will be determined by 
the architectural style. Several possible architectural styles should be explored and as- 
sessed according to those non-functional criteria that are regarded to be important for 
the given problem. 

Table 2 gives heuristics for performing Step 3. It has been developed from the gen- 
eral characteristics of the involved problem frames and architectural styles as well as by 
conducting several case studies. It shows rules of thumb giving hints which architectural 
styles to consider first. 

As can be seen, there are several architectural styles associated to each problem 
frame. Which one is finally chosen depends on non-functional requirements. It remains 
to make these explicit in order to really guide the transition from a problem frame to an 
architectural style. 

For the problem frames Transformation and Workpieces, we have quite a number of 
architectural styles to consider. This is due to the fact that these problem frames cover 
most of the “classical” software development problems and that they are less constrain- 
ing than the other frames. For Required Behaviour and Commanded Behaviour, we 
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init chg_smile advance advance chg_smile stand chg_smile 



Fig. 4. The movements of the robot 



should consider architectural styles that are well suited for reactive systems, and for 
Information Display and Commanded Information, it seems natural to choose data- 
centered architectures. 

Step 4 uses the architectural style instantiated in Step 3 to develop a specification 
that formally describes the chosen architecture. That instantiation determines a set of 
components that structure the system to be developed. It also shows the cooperations 
between these components. For each component a formal specification must be given. 
Furthermore, it must be specified how the components cooperate. Such an architectural 
specification is the basis for detailed design and implementation. The most important 
validation condition associated with Step 4 of the agenda is to show that the chosen 
architecture indeed correctly implements the machine specified in Step 2, i.e., that the 
architectural specification refines the machine specification. Because we use formal 
specifications, this validation condition can be demonstrated in a rigorous or formal 
way. 

In the following section, we demonstrate the application of the agenda by means of 
a concrete example. 

4 Case Study: Robot Simulation 

This case study is taken from [HL97], where it was used to illustrate different archi- 
tectural styles. Here, we demonstrate how the most suitable architectural style can be 
found in a systematic manner, performing the steps of the agenda presented in Table 1 . 

The task is to build a system simulating a simple robot. This robot can make the 
movements shown in Figure 4: it can advance by moving its right or its left leg; it can 
stand still; and it can smile or not. The robot can be modeled as an automaton with 
three states: standing, lef t_up and right_up as shown in Figure 5. To each state 
a boolean value is associated indicating whether the robot is smiling or not. The initial 
state is standing and smiling. 

The robot is defined by the abstract data type ROBOT where the states are defined as 
consfanfs and fhe movemenfs as fransitions from one state to another, except for smiling, 
which is defined by a boolean value: true for smiling. For each state a predicate is 
defined deciding if the robot is in this state. 

The input for the system to be built is a list of commands to be executed by the 
robot, i.e., a list consisting of the elements stand, advance and chg_smile. The 
output is a list of pairs, where the first component of each pair is the current state of the 
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s: bool 






stand 



chg_smile ^ I 

left_up(s) 




advance 

Fig. 5. The robot automaton 



^ d ^ chg_smile 
right_up(s) 



robot, and the second component of each pair is the list of commands not yet executed. 
Each command must be executed, and the intermediate states entered during execution 
of the command list must be given as an output. 

Step 1: Choice and Instantiation of a Problem Frame. We consider the problem 
frames (cf. Figure 3) one hy one and give reasons for each problem frame why it is 
rejected or accepted. 

Required Behaviour The “C” says that the Controlled Domain must be causal. 
Since the robot is dehned by an abstract data type, the domain corresponding to the 
robot is not causal but lexical. Moreover, the problem frame Required Behaviour 
does not let us distinguish between the input domain (being a list of commands) 
and the output domain (being a list of pairs). Hence, we reject this problem frame. 
Commanded Behaviour This problem frame must be rejected for the same reasons as 
before. Moreover, we cannot find a domain corresponding to the Operator domain. 
Information Display Here, the purpose of the machine is to display things that happen 
in the real world. Both domains are causal, which does not ht well with the robot 
problem. 

Commanded Information This frame must be rejected, because we cannot hnd an 
Enquiry operator and because the domains involved in the robot problem are not 
causal. 

Workpieces This problem frame is more promising than the ones considered before, 
because we have a lexical domain here. The workpieces are the robot’s state, to- 
gether with the current command list. However, we cannot hnd an instantiation for 
the User domain, because command lists are not biddable. Hence, we hnally reject 
the Workpieces frame. 

Transformation It is this frame that we hnally choose for our problem. A lexical input 
list is transformed into a lexical output list. The relation between the two lists is 
given by the robot automaton. Figure 6 shows the instantiated frame diagram. 



Step 2: Structured Requirements Specification. Having chosen a problem frame for 
the robot problem, we must give a specihcation of all the domains involved and of the 
requirements. As a specihcation language, we use FOTOS [BB87], because LOTOS 
is one of the specihcation languages allowing us to dehne software architectures, and 
especially the interaction of different components, in a suitable way. 

Specification of the Inputs Domain. As shown in Figure 6, the input domain is a list 
of movement commands. 
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Inputs 




10 relation 

correct 
processing 
of movement 
list 



a: ML!{m_stand, m_advance, m_chg_smile} 



Outputs 



[Y1.Y3] 



b: RS!{standing(s), left_up(s), right_up(s), m_stand, m_advance, m_chg_smile, list operations} [Y2, Y4] 



Fig. 6. The robot problem fitted into the Transformation problem frame 



The movements are defined by the type MVT with three constants m_stand, m_ 
advance and m_chg_smile. 

The robot will be asked to execute several movements collected in a list. This list is 
defined by an abstract data type M_LIST whose definition is straightforward. 

Specification of the Outputs Domain. The output consists of a list of pairs, whose 
first element is the current state of the robot and whose second element is the list of 
movements yet to be performed. 

The definition of the abstract data type ROBOT reflects exactly the automaton given 
in Figure 5 . 

To define the Outputs domain 0_LIST, a data type VALUE must be defined as the 
Cartesian product (with constructor make) of the two types ROBOT and M_LIST. The 
type 0_LIST of lists of elements of type VALUE is then defined in much the same way 
as the type M_LIST. 

Specification of the lO relation. The 10 relation says that, given a list of commands, the 
robot simulation must execute that list of commands one by one and output the current 
state of the robot after execution of each command, together with the commands yet to 
be executed. 

For example, if the input command list has the form {mi, m2, m3, . . . mk) then 
the output list has the form 

{{mi{init of robot), {m2, m3, . . . mk)), {m2{mi{init of robot)), {m3, . . . mk)), 

. . . , {mk {- . . (7713(7712(7711 (inif of robot)))) . . .), empty)) 

where m{r) denotes the robot state that is reached from state r by executing movement 
771. This requirement is defined by a predicate is_correct which takes a movement 
list and and output list as its arguments. This predicate is defined in a type IO_REL. 

Specification of the Machine Domain Robot Simulation. For each input list, the robot 
simulation must produce an output list in such a way that the two lists are in the relation 
is_correct. 
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Fig. 7. The repository architecture for the robot 

type ROBOT_SIMULATION 

is IO_REL 

opns robsim ; m_list -> o_list 
eqns 

forall ml ; m_list 
ofsort bool 

is_correct (ml , robsim (ml)) = true 

endtype 

Steps 3 and 4: Architectural Design of the Robot. We will explore several possibili- 
ties to structure the machine domain specified in Step 2. The non-functional criteria for 
assessing the different architectures will be efficiency and simplicity. Moreover, we give 
a specification of the top-level behavior for each considered architecture. For reasons 
of space, we cannot give the specifications of the different components. 

All architectures we will consider in the following have the same interface. This 
interface consists of an input channel START and an output channel OUTPUT, where 
START corresponds to interface a and OUTPUT corresponds to interface b of Figure 6. 

The list of movements to be processed is given in one step. The simulation must 
show the intermediate states of the robot when processing the input list. Hence, instead 
of producing the output list at once, the machine will produce the elements of the output 
list one by one. Then, the correctness condition required to be proven in Step 4 of the 
agenda is that the sequence of events occurring on gate OUTPUT is an output list that is 
in relation IO_rel with the input list. 

The gate START is used to start the simulation, yielding in the following top-level 
behavior: 

START !make(init of robot , input_list ) ; exit 
I [START] I (behav.expr) 

The different architectures will result in different definitions of behav-expr. 

The Repository Architecture. The basic idea is to use a repository that contains the 
current state of the robot and the list of commands still to be executed. There are three 
components, one for each command. These components change the state according to 
the automaton and discard the first element of the command list. 

Figure 7 illustrates the repository architecture, where channel names R, W and RW 
denote the read, write and read/write access to the repository, respectively. The compo- 
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Fig. 8. The pipe/filter architecture of the robot 

nent Init_sm serves to write the initial state of the robot and the initial command list 
into the repository. 

The components try to access the shared memory in parallel in order to execute the 
movement they are responsible for. Each of them first reads the list of movements. If 
the first movement is the one it is responsible for, the movement is executed, the robot 
state changed, and the new state and the rest of the movement list is written back in the 
shared memory. If the movement cannot be executed by the component that has been 
granted access, it writes back the unchanged state in order to unlock the shared memory. 
The top-level behavior of this architecture is as follows: 

START !make(init of robot , ini t_list ) ; exit 
I [START] I 
( 

hide RR, R, WR, W, RWR in 
SM [RR, R, WR, W, RWR] 

(init of shared_memorY, false, forjiobody) 

I [ RR, R, WR, W, RWR ] | 

( Init_sm [START, W, WR] 

I I I Stand [OUTPUT, R, W, RWR] 

I I I Chg_Smile [OUTPUT, R, W, RWR] 

I I I Advance [OUTPUT, R, W, RWR] ) ) 

This architecture has the disadvantage that the system implementation must guarantee 
fairness, i.e. each component must be given the chance to access the shared memory. 
Otherwise, an infinite number of unsuccessful accesses is possible, and the system does 
not terminate {live-lock). 

The Pipe-and-Filter Architecture. In the pipe/filter modeling, we can make sure that 
each component is given the possibility to execute its movement if required. The idea 
is to have a line of filters. Each filter inspects the movement list. If it can execute the 
movement, it does so and hands the new robot state and the new movement list to the 
next filter. Otherwise, it passes on the unchanged data. Again, we need an initializing 
component, called here Init_pf . The architecture is shown in Eigure 8. The top-level 
behavior of this architecture is as follows: 

hide PO , PI, P2 , P3 in 

( Init_pf [START, PO] 

I [ PO ] I 

Stand [PO, PI, P3 , OUTPUT] 

I [ PI, P3 ] I 

Advance [PI, P2 , OUTPUT] 

I [ P2 ] I 

Chg_Smile [P2, P3 , OUTPUT] ) 
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START OUTPUT 



RobotMachine 



Fig. 9. The event system and the virtual machine architectures for the robot 



This solution is better than the repository architecture because it always terminates. 
It is not ideal, however, because each component must inspect the data, even if it cannot 
process them. 

The Event System Architecture. The event system style can be used to overcome 
the disadvantages of the previous two architectures. An event manager inspects the 
movement list and passes the data only to the component that can process them. The 
initial state of the robot and the movement list are given to the event manager. No 
initialization component is required. This architecture is shown on the left-hand side of 
Figure 9. We have the following overall behavior; 

hide In_stand, Out_stand, In_chg_smile , Out_chg_smile , 
In_advance, Out_advance in 

Event_Manager [START, In_stand, Out_stand, In_chg_smile , 
Out_chg_smile , In_advance, Out_advance] 

I [In_stand, Out_stand, In_chg_smile , Out_chg_smile , 
In_advance, Out_advance] | 

( Stand [OUTPUT, In_stand, Out_stand] 

I I I 

Advance [OUTPUT, In_advance, Out_advance] 

I I I 

Chg_Smile [OUTPUT, In_chg_smile , Out_chg_smile] ) 

The components executing the movements are much simpler now than in the other 
architectures. 

The Virtual Machine Architecture. The architecture can be improved once more. We 
should not have three components that can only execute a single command, but a virtual 
machine that can execute all three commands. This architectural style seems to be the 
most natural one, because virtual machines are well suited for simulation tasks. This 
architecture is shown on the right-hand side of Figure 9. It is quite simple: 

process Robot [START, OUTPUT] : exit := 

START ? v: value; RobotMachine [OUTPUT] (v) 
endproc 

where the process RobotMachine just recursively processes the given movement list 
contained in v. 
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This example shows that Table 2 can only give hints which architectural styles 
should he considered when developing an architecture for a given problem that was 
previously fitted into some problem frame. We have demonstrated that several archi- 
tectures yield correct implementations. However, some of them are better suited than 
others. The reasons for preferring one architecture over another were efficiency as well 
as simplicity and elegance. For such a choice, no general rules can be given. However, 
the architectural styles provide us with an overall structure of the system to be devel- 
oped. As we have shown, several such structures should be explored in search of the 
optimal one. The structure finally chosen is the starting point of the subsequent devel- 
opment steps. 

For further validation of our approach, we have also carried out other case studies 
using Casl [CH03]. 

5 Conclusions 

Methodological issues in writing specifications are many, and we would like to point 
to related work that addresses issues complementary to ours. Roggenbach and 
Mossakowski [RM02] address the writing of readable specifications in Casl, avoid- 
ing semantic pitfalls (these concerns are also addressed in the Casl reference manual 
[BM02]). Bidoit, Hennicker and Kurz [BHK02] explore the use of observability con- 
cepts which are found to be useful and relevant for writing specifications. Blanc [Bla02] 
proposes guidelines for the iterative and incremental development of specifications. 

In this paper, we have introduced a methodology for formal specification that is 
systematic and that stresses reuse of previously acquired knowledge. Both patterns and 
agendas are a means to represent knowledge. Patterns are abstractions of the products 
developed during the software lifecycle, and reuse is achieved by instantiating a pat- 
tern. Agendas, on the other hand, are explicit representations of process knowledge. 
Both concepts are orthogonal, and in order to base the software development process as 
much as possible on previously acquired knowledge, the two concepts should be used 
in combination. In particular, the contributions of this paper are: 

- We have elaborated a software lifecycle where patterns play an important and well- 
defined role. 

- We have developed an agenda that gives guidance how to perform this pattern-based 
software lifecycle in a systematic way. 

- We have shown how to combine problem frames, architectural styles and formal 
specifications. So far, these three were considered in isolation; no explicit connec- 
tion between them has previously been established. 

In the future we will provide methodological support also for the subsequent de- 
velopment steps of the software lifecycle proposed in Figure 2. In particular, this will 
involve the application of design patterns. Furthermore, we will investigate problem 
decomposition and multiframe problems in more detail. 
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Abstract. We argue for an algorithmic approach to behavioral proofs, 
review the hidden algebra approach, develop circular coinductive rewrit- 
ing for conditional goals, extend it with case analysis, and give some 
examples. 



1 Introduction 

A natural extension of algebraic specification distinguishes visible sorts for data 
from hidden sorts for states, with states behaviorally equivalent iff they are indis- 
tinguishable under a given set of experiments; we have formalized this as hidden 
algebra, originating in [9] and further developed in [11,20, 18, 19] and other pa- 
pers. While standard equational proof techniques like induction are suitable for 
data, coinduction or context induction is generally needed for non-trivial behav- 
ioral properties, typically requiring extensive human intervention. This is not 
surprising, since behavioral satisfaction is -hard [5] , so that no algorithm can 
prove [or disprove] all behaviorally true [or false] statements. However, success- 
ful technology transfer requires placing less demand on users, as illustrated by 
the success of model checking. Hence our recent research concerns coinduction 
algorithms that require no human intervention. 

The languages we know that support automated behavioral reasoning are 
Spike [2], GafeOBJ [6], and BOBJ [10], the first based on context induction, and 
the other two on forms of coinduction. The powerful coinduction algorithm now 
in BOBJ has developed through several stages. The first restricts ordinary term 
rewriting to behavioral rewriting [18], by allowing rules to apply only in certain 
contexts (since standard equational reasoning may be unsound for behavioral 
satisfaction); this can be used like ordinary rewriting for ordinary equational 
reasoning, to check behavioral equivalence by computing and comparing be- 
havioral normal forms. Gircular coinductive rewriting (CCRW) [10] attempts to 
prove that a hidden equation holds (in the sense that the two terms cannot be 
distinguished by any context) by applying behavioral rewriting to both sides, 
allowing also application of the goal in even more restricted contexts than for 
rewriting, and generating new goals when rewriting fails to show equivalence; 
forms of this algorithm have been in BOBJ for more than three years. Gondi- 
tional circular coinductive rewriting (CCCRW) generalizes CCRW to proving (sets 



M. Wirsing, D. Pattinson, and R. Hennicker (Eds.): WADT 2002, LNCS 2755, pp. 216—232, 2003. 
@ Springer- Verlag Berlin Heidelberg 2003 




Conditional Circular Coinductive Rewriting with Case Analysis 217 



of) conditional equations (although conditional axioms were already allowed by 
CCRW, conditional equations could only be proved by implication elimination, 
which we show is quite limited). Finally, conditional circular coinductive rewrit- 
ing with case analysis (CCCCRW, or c4rw) adds case analysis, and seems to 
be the most powerful automated proof technique now available for behavioral 
equivalence. 

This paper only discusses details for a simplified version of the c4rw al- 
gorithm, showing its correctness by relating its steps to sound inference rules 
given in Section 3. Some more sophisticated extensions have been implemented 
in BOBJ, and are briefly sketched in Section 5, but details are left for future 
papers. These extensions make the algorithm much more powerful in practice, 
and are needed, for example, in our recent proofs for the alternating bit protocol 
and the Petersen mutual exclusion algorithm. 

BOBJ’s c4rw algorithm takes as input a behavioral specification and a set of 
hidden sorted conditional equations, and it returns true, or failed (which may 
mean that algorithm could not prove the goal, or that the goal is false, depending 
on the specification), or else goes into an infinite loop. Here is a simple example, 
illustrating case analysis in a coinductive proof of a conditional equation: 

Example 1. Sets with insertion The behavioral theory SET has one hidden sort. 
Set, one hidden constant for the empty set, and operations for element mem- 
bership and insertion. The case definition separates the situation where X equals 
Y from that where it does not; this split is applied only when a subterm of the 
term being reduced matches the pattern, eq(X,Y) . BOBJ allows case definitions 
to be named, reused, and combined with other such definitions. 

bth SET is sort Set . 
pr NAT . 

op empty : -> Set . 
op _in_ : Nat Set -> Bool 
op insert : Nat Set -> Set . 
vars M N : Nat . var S : Set . 
eq N in empty = false . 

eq N in insert (M, S) = eq(N,M) or N in S . 

end 

cases CASES for SET is 
vars X Y : Nat . 
context eq(X,Y) . 
case eq X = Y . 
case eq eq(X,Y) = false . 

end 

cred with CASES insert (N, S) == S if N in S . 

BOBJ’s c4rw algorithm is called by the cred command; notice that the goal 
here is a conditional equation. An algorithm of [21] first determines that {in} is 
a cobasis for set-sorted terms, i.e., that two terms are behaviorally equivalent 
iff they are indistinguishable by experiments with in. Next, the condition of the 
goal is added to the specification as a new equation, with its variables replaced 
by new constants (see the Condition Elimination rule in Section 3). Then BOBJ 
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attempts to prove the goal by reducing each side to its behavioral normal form 
and checking for equality; since this fails, the goal is added to the specification 
as a circularity, that can only be applied in a restricted way; then the cobasis is 
applied to each side, and behavioral rewriting produces 
eq(M,n) or M in s = M in s 

where n and s are the new constants for N and S, respectively. After that, case 
analysis is applied, and since both cases reduce to true, the result is proved. 
All this takes just a few milliseconds, before BOBJ returns true. Note that the 
circularity is not actually used in this proof (but we soon give an example that 
does use a circularity). □ 

We have found case analysis essential for larger applications, such as our recent 
proofs of the alternating bit protocol and the Petersen mutual exclusion algo- 
rithm; in addition, we reduced the proof score for liveness of a real-time asyn- 
chronous data transmission protocol done in CafeOBJ by Futatsugi and Ogata 
[8], by a factor of about ten. Circularities have also been essential for many 
non-trivial examples, but here is a simple example, proving an identity that is 
familiar in functional programming, and also illustrating BOBJ’s parameterized 
module capability: 

Example 2. iter and map Here DATA defines the interface to STREAM, that is, 
we consider streams of elements from an arbitrary data structure having some 
monadic operation f defined on its elements. These streams have the usual head 
and tail operations, plus which appends an element to the head of a stream. 
Its most interesting operations are map and iter, which respectively apply f to 
all the elements of stream, and create a steam of iterations of f applied to its 
argument. 

th DATA is sort Elt . 
op f_ : Elt -> Elt . 

end 

bth STREAM [X :: DATA] is sort Stream . 
op head_ : Stream -> Elt . 
op tail_ : Stream -> Stream . 
op : Elt Stream -> Stream . 

op map_ : Stream -> Stream . 
op iter_ : Elt -> Stream . 
var E : Elt . var S : Stream . 
eq head(E & S) = E. 
eq tail(E & S) = S . 
eq head map S = f head S . 
eq tail map S = map tail S . 
eq head iter E = E . 
eq tail iter E = iter f E . 

end 

cred map iter E == iter f E . 

The equation to be proved, map iter E = iter f E, often appears in proofs 
about streams in functional programs. Pure behavioral rewriting fails to prove 
the goal, so circular coinduction is invoked, with the goal added to the specifi- 
cation in a form that limits its application. The cobasis is determined to consist 
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of head and tail, and so new goals are produced by applying these operations 
to the original goal. The goal generated by head is directly proved by rewriting, 
but the goal generated by tail is reduced by behavioral rewriting to 
map iter f E = iter f f E 

By applying the circularity at the top level, reduces the left side to iter f f E, 
which is the same as the behavioral normal form of the right side of the goal. □ 

2 Specification and Satisfaction 

We first briefly review the basics of algebraic specification, and then the ver- 
sion of hidden algebra implemented in BOBJ [10], which drops several common 
but unnecessary restrictions, including that operations have just one hidden ar- 
gument, that equations have just one hidden variable, and that all operations 
preserve behavioral equivalence. 

2.1 Preliminaries 

The reader is assumed familiar with basic equational logic and algebra. Given an 
5'-sorted signature S and an S'-indexed set of variables Z, let Ts{Z) denote the 
T'-term algebra over variables in Z. If G C S' then S\v is a G-sorted signature 
consisting of all those operations in S with sorts entirely in V . We may let <t{X) 
denote the term a{xi , ..., x„) when the number of arguments of cr and their order 
and sorts are not important. If only one argument is important, then to simplify 
writing we place it at the beginning; for example, a{t,X) is a term having a as 
root with only variables as arguments except one, and we do not care which one, 
which is t. Der{S) is the derived signature of S, which contains all T'-terms, 
viewed as operations. If t is a H-term and A is a H-algebra, then At : — >■ A 

is the interpretation of t in A, defined as follows: given 9 : var{t) — >■ A, let At{6) 
be 6{t), the evaluation of t in A with variables replaced by the values given by 
9. If one variable of t, say ★, is of special importance, then we may view the 
evaluation of t in two steps, as : A — >■ — >■ A) with the obvious 

meaning. 



2.2 Behavioral Specification and Satisfaction 

We generalize the hidden algebra of [9, 11] to include variants such as observa- 
tional logic [1,3,14] and coherent hidden algebra [6,7]. See [19] for a detailed 
presentation of variants, history, many other concepts, and proofs for some re- 
sults mentioned here. Two important variants of behavioral logic are the fixed 
data and the loose data, depending on whether or not the data universe is fixed 
(i.e, “built-in”). Due to space limitations, our exposition focuses on the loose 
data version, but all results also hold for the fixed data version. (However, va- 
lidity of case analysis often depends on having a suitable fixed data algebra; for 
example, the above proof for SET requires that sort Bool have the usual two 
truth values.) 
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Definition 1. Given disjoint sets V, H called visible and hidden sorts, a hid- 
den (y, i?)-signature is a many sorted (V G H)- signature. A hidden subsig- 
natnre of 27 is o hidden {V, H) -signature F with F C E and F\v= E\v- The 
data signature is E\y, which may be denoted fi. A visible sorted operation not 
in Fi is called an attribute, and a hidden sorted operation is called a method. 

Unless otherwise stated, the rest of this paper assumes fixed a hidden sig- 
nature 27 with a fixed subsignature F. Informally, 27-algebras are universes of 
possible states of a system, i.e., “black boxes,” where one is only concerned with 
behavior under experiments with operations in F, where an experiment is an 
observation of a system attribute after perturbation; this is formalized below, 
where the symbol ★ is a placeholder (i.e., a variable) for the state being experi- 
mented upon. 

Definition 2. A U-context for sort h G F[ is a term in ?V({* : h} A Z) 
with one occurrence of-k, where Z is an infinite set of special variables. A data 
context for sort v G V is a term in Tb({* : f} U Z') with one occurrence of-k, 
where Z' is an infinite set of special visible variables. A F-context with visible 
result sort is called a U-experiment. If c is a context for sort h and t G Ts^h 
then c[t] denotes the term obtained from c by substituting t for k; we may also 
write c[*] for the context itself. 

Definition 3. Given a hidden E-algebra A with a hidden subsignature F, for 
sorts s G {V AH), we define U-behavioral equivalence of a, o' G As by a =£ 
o' iff Ac{a){0) = Affa'){9) for all F-experiments c and all (V A H)-sorted maps 
9 : var{c) — >■ A; we may write = instead of =£ when 27 and F can be inferred 
from context, and we write =s when E = F. Given an {V U H) -equivalence 
~ on A, an operation a in Esj...s„,s is congruent^ for ~ iff Acr{ai, ...,an) ~ 
Affa'i , ..., ojj) whenever ai ~ o' for i = l...n. An operation a is U-behaviorally 
congruent for A iff it is congruent for =£. We often write just congruent for 
behaviorally congruent (a similar notion is given by Padawitz [17]). A hidden 
U-congruence on A is a {V A H)- equivalence on A which is the identity on 
visible sorts and for which each operation in F is congruent. 

Behavioral equivalence is the identity on visible sorts, since the trivial contexts 
k : v are experiments for all v GV . The following foundation for coinduction and 
other important results generalizes [11] to operations not behavioral and/or with 
more than one hidden argument; [20, 19] give proofs. Since final algebras need 
not exist in this setting, U-behavioral equivalence cannot use them as coalgebra 
does [22,16,15]. 

Theorem 1. Given a hidden subsignature F of E and a hidden E-algebra A, 
then F -behavioral equivalence is the largest hidden F -congruence on A. 

Behavioral satisfaction of conditional equations can now be naturally defined in 
terms of behavioral equivalence: 

^ This is called “coherent” in [7], where the concept originated. 
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Definition 4. A hidden E-algebra A _T-behaviorally satisfies a E-equation 
(yx) t = t' If t\= t\, tn = y, say e, iff for each 0 : X ^ A, if9{U) =£ 6{t'f) 
for all 1 < i < n, then 9{t) =£ 9{t'); in this case we write A e. If E is a 
set of E-equations we then write A E when A E -behaviorally satisfies each 
E-equation in E. We may omit E and/or E from when they are clear. 

An elegant formulation of case analysis adds a new kind of sentence, which can 
also be used in specifications: 

Definition 5. Given a hidden signature E , a A-case sentence over variables 
X is a nonempty set {Ci, C 2 , Cn}, written (VA) Ci, where each Ci for 
1 < i < n is a set of pairs of E -terms over variables in X. For A a hidden 
E-algebra, A ^ (VA) Cj iff for any 9: X ^ A there is some 1 < i <n 
such that 9{t) =£ 9{t') for each t = t' in Ci. 

Definition 6. A behavioral ('or hidden^ A-specification (or -theory^ is a 

triple (E,E,E) where E is a hidden signature, E is a hidden subsignature of E, 
and E is a set of E -sentences (equations or cases). Non-data E-operations (i.e., 
in E — E\y) are called behavioral. A E-algebra A behaviorally satisfies (or 
is a model of) a behavioral specification B = {E,E,E) iff A E, in which 
case we write A ^ B; also B y e iff A ^ B implies A e. An operation 
a G E is behaviorally congruent for B iff a is E -behaviorally congruent for 
each A such that Ay B. 

Interesting examples of non-A -behaviorally congruent operations arise in pro- 
gramming language semantics. For example, considering two programs in a lan- 
guage equivalent iff both terminate with the same output, then a E can be defined 
to enforce this behavioral equivalence relation, but an adequate behavioral spec- 
ification requires operations that do not preserve this behavioral equivalence, 
such as observing the execution environment (e.g., two programs may declare a 
variable x, one instantiate it to 0 and the other to 1, and then never use that 
variable) . 

Proposition 1. For any behavioral specification B = (E,E,E), all operations 
in F and all hidden constants are behaviorally congruent for B. 

Of course, E may be such that other operations are also congruent. An easy 
criterion for congruence is given in [20] and is generalized in [4,21]; [20] also 
shows that congruent operations can be added to or removed from F as desired 
when no equation in E has hidden sorted equalities in its condition (which is a 
common situation). 



3 Behavioral Inference 

This section introduces five sound rules for behavioral equivalence, beyond the 
usual reflexivity, symmetry, transitivity and substitution; they all work on condi- 
tional equations. We let llh denote the relation being defined, for deduction from 
a specification to an equation. Also, if is a behavioral specification and Y a set 
of variables, let B{Y) denote B with Y adjoined to the signature of B] similarly. 
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if is a set of equations, let B{E} denote B with E adjoined to the equations 
of B. This notation allows writing things like B{Y){E} and B(Y){E, E'}. 

As discussed in the paragraph before Proposition 1, operations are not always 
congruent. This implies that the congruence rule of equational deduction is not 
always sound for behavioral reasoning. However, there are important situations 
where it is sound: a) when applied at the top of a visible term; and b) when 
applied to behaviorally congruent operations. The reason for the first is that 
behavioral equivalence is the identity on visible sorts, and for the second is that 
behaviorally congruent operations preserve the behavioral equivalence relation. 
Thus we have: 



a) 



Congruence : < 



b) 



B llh (VX) t = t' ±f c, sortit, t') £ V 
B llh (VX, W) a(W, t) = a{W, t') if c, for all a £ Der{E) 

B llh (VX) t = t' ±± c, aort{t,t') G H 
B llh (VX, W) S{s, t) = S{s, t') if c, for all <5 G T and s G Ts{W) 



where s is an appropriate string of X-terms over variables in W . Deduction with 
this plus reflexivity, symmetry and transitivity satisfies an important property 
given in Proposition 2 below, using the following: 

Definition 7. A E-context 7 is behavioral iff all operations on the path to * in 
7 are behavioral, and is safe iff either it is behavioral or there is some behavioral 
experiment 7' (of visible result) such that 7 = 7"[7'] for some appropriate 7". 



Proposition 2. If B llh (VX) t = t' if c then B llh (VX, W) fft] = 7[t'] if c 
for any appropriate safe E-context 7, where W gives the variables ofj. 



The deduction theorem says that to prove an implication p ^ q one can add 
p to the set of axioms and then prove q. In equational logics, since universal 
quantifiers bind both the condition and the conclusion of a conditional equation, 
to make the deduction theorem work one must first unbind the variables in the 
condition. This is typically done via the “theorem of constants,” which adds a 
new constant to the signature for each variable of interest. Here is a behavioral 
rule combining these two: 



Condition Elimination: 



B{Y){E{c)} llh (VX -Y)t = t' 
B llh (VX) t = t' lie 



where Y is the set of variables occurring in c, and E(c) is the set of ground 
unconditional equations contained in c (arising since c is a conjunction of equal- 
ities). In the lower part of this rule, t,t',c are all defined over the signature of 
B and use variables in X, while in the upper part, t and t' still use variables in 
X but all their variables in Y are replaced by new constants, thus giving a new 
behavioral specification B(Y), where each variable in Y is regarded as a new 
constant. 

A case sentence can be used to derive new equations by providing a substi- 
tution from the case statement’s variables into terms over the equation’s vari- 
ables. Formally, let be a behavioral specification containing the case statement 
(VX) Vr=i 93 be a map Y — >• Ts{X), and let Vi = var{(p{Ci)). Then 



Case Analysis: 



B{Vi){{^tb)ip{Ci)} llh (VX -Vi)t = t' if c, for 1 < f < n 
B llh (VX) t = t' if c 
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This says that to prove (VX) t = t' if c by case analysis using (VF) Vr=i 
one must provide a substitution instantiating the case statement to the context 
of the proof task and then, for each case Ci, prove the equational sentence using 
that case as an axiom, after the relationship between the case’s variables and 
the equation’s variables is made explicit by replacing them by constants. 

Unrestricted use of the Case Analysis rule can be very expensive, even non- 
terminating, and it can also be hard to find appropriate substitutions ip. Since 
our main goal is an automatic and relatively efficient procedure for proving 
behavioral equivalence, we have developed a simple mechanism to tell BOBJ 
both when to perform a case analysis and with what substitution. In BOBJ, 
each case statement comes with a pattern, usually denoted by p, which is just 
a U-term with variables. The Case Analysis rule is enabled only if the pattern p 
matches a subterm of t or t' , and then the substitution also comes for free. 

Our most powerful rule is Circular Coinduction, but first we recall the impor- 
tant notion of cobasis, originating in [20] and later simplified in [18, 12,21]. For 
this paper, a cobasis Z\ is a subset of T that generates enough experiments, 
in the sense that no T-experiment can distinguish two states that cannot be 
distinguished by these experiments. Finding a minimal cobasis seems undecid- 
able, but there are cobasis criteria that work well in practice [20,4,21], and are 
implemented in BOBJ. Users can also declare their own cobases in BOBJ. 

Intuition for circular coinduction can be enhanced by considering its duality 
with structural induction. Inductive proofs show equality of terms t{x), t'{x) over 
a given variable x (seen as a constant) by showing t{a{x)) equals t'{a{x)) for all cr 
in a basis, while circular coinduction shows terms t, t' behaviorally equivalent by 
showing equivalence of a{t) and <j{t') for all cr in a cobasis. Moreover, coinduction 
applies cobasis operations at the top, while structural induction applies basis 
operations at the bottom. Both induction and circular coinduction assume some 
“frozen” instances of t, t' equal when checking the inductive/coinductive step: for 
induction, the terms are frozen at the bottom by replacing the induction variable 
by a constant, so that no other terms can be placed beneath the induction 
variable, while for coinduction, the terms are frozen at the top, so that they 
cannot be used as subterms of other terms (with some important but subtle 
exceptions, treated by the Special Context inference rule below). 

Freezing terms at the top is elegantly handled by a simple trick. Suppose 
every specification has a special visible sort b, and for each (hidden or visible) sort 
s in the specification, a special congruent operation [_] : s — >■ b. No equations are 
assumed for these operations and no user defined sentence can refer to them; they 
are there for technical reasons. Thus, with the inference rules introduced so far, 
for any behavioral specification B and any conditional equation (VAT) t = t' ±i c, 
it is necessarily the case that B llh (VX) t = t' It c iS B llh (VX) [t] = [t'] if c. 
The rule below preserves this property. Let Z\ be a cobasis for B, and let the 
sort of t, t' be hidden. Then 

Bii^X) [t] = [f] if c} llh (VX,1U) [6{t,W)] = [S{t',W)] if c. 
Circular for all appropriate S € A 

Coinduction ' B llh (VX) t = t' if c 
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We call the equation (VX) [t] = [t'\ if c added to a circularity; it could just as 
well have been called a coinduction hypothesis or a co-hypothesis, but we find the 
first name more intuitive because from a coalgebraic point of view, coinduction 
is all about finding circularities. Another way to look at circular coinduction is 
through the lense of context induction [13]. To clarify this discussion, we replace 
the operations [*] by C[*]. Then our rule says that to show (VA) t = t' if c, 
one can assume (VA) C[t] = C[t'] if c and then show (VA, W) C[5{t,W)] = 
W) if c for each 6 G A, which, if one thinks of C[5(*, W)] as (C; i5)(*, W), 
is just an induction scheme on contexts. In fact, this is how we prove soundness 
of this rule (in Theorem 2 below). 

Unfortunately, restricting application of circularities to the top of proof goals 
using the operations [*] excludes many important situations (e.g., see Exam- 
ple 5). We begin considering when this restriction can be lifted with the follow- 
ing: 

Definition 8. A F—A context 7 [*] is called special iff for any A-experiment 
C)*], there exists a A-experiment D[-k] such that C[ 7 [*]] = D[-k] and the size 
of D[*] is not bigger than the size o/C)*]. 

The next rule allows using circularities inside special contexts: 

Special . B llh (VA) [t] = [f] if c 

Context B llh (VA, W) ['y{t, W)] = [y{t', W)] if c, when 7 is a special context 

We now describe two kinds of special contexts, but will consider others in the 
future. 

Definition 9. An operation f in F — A is context collapsed iff for any A- 
experiment C[*j, one of the following two conditions holds: 

F there exists an attribute g in A and a data context D[-k] such that C[f{W)] 
= D[g{W)]. 

2. C[f{W)] = t where t is a data (i.e., Q) term. 

It is not hard to see that / is context collapsed if both of the following are 
satisfied: 

1. For any attribute g'va A and any variable x of hidden sort, g{f{x, V), W) = t, 
where t is a data term, or f = D[g'(x, W) ] where g' is another attribute in 
A and D[-k] is a data context. 

2. For any non-attribute operation g in A and any variable a; on a hidden sort, 
g{f{x, V),W) = X, or else g{f{x, V),W) = C[x] where C is a context made 
from context collapsed operations. 

Definition 10. An operation f in F — A is context preserved iff both of the 
following are satisfied: 

F For any attribute g in A and any variable x of hidden sort, g{f{x, V), W) = t 
where t is a data term, ort = D[g'{x, W) ] where g' is an attribute in A and 
D[*j is a data context. 
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2. For any non-attribute g in A and variable x on a hidden sort, 

g{f{x, V), W) = C[ f{g'{x, V, W),V, M^)] or 
g{f{x,V),W) = C[f{x,V,W)] or 

g{f{x,V),W) = C[g'{x,V,W)] or 

g{f{x,v),w) = X 

where C[*] is a context of context collapsed operations and g' is in A. 
Circularities can be applied under contexts having just context collapsed oper- 
ations and context preserved operations, since they satisfy the Special Context 
rule. 

One should be extremely careful in checking that contexts are special. For 
example, the cobasis operations in A cannot be special, because otherwise the 
Circular Coinduction rule would prove everything. As shown by Example 3, even 
behavioral operations in F — A can fail to be special. The examples and theory 
in this paper show that the issues involved are more subtle than we realized in 
[18], which described an overly optimistic algorithm. The following is the main 
result of this paper; its soundness assertions will be used to justify the c4rw 
algorithm. 

Theorem 2. The usual equational inference rules, Reflexivity, Symmetry, Tran- 
sitivity, and Substitution, as well as the new rules above. Congruence, Condition 
Elimination, Case Analysis, Circular Coinduction and Special Context, are all sound. 
By soundness here we mean that if B llh (VA) t = t' ±i c and sort(t,t') yf b, or 
if B llh (VA) [t] = [f] if c, then B ^ (VA) t = t' ±f c. 

4 Behavioral Rewriting 

Behavioral rewriting is to the first five rules of Theorem 2 as ordinary term 
rewriting is to equational logic: it provides a simple, efficient and automatic 
procedure for checking equalities. To simplify the exposition, we treat only un- 
conditional rewriting, but the generalization to conditional rewriting is similar to 
that for ordinary term rewriting. Behavioral rewriting must differ from ordinary 
term rewriting because operations are not necessarily behaviorally congruent. 

Definition 11. A A-rewrite rule is a triple (VF) I — >■ r where l,r G Ts{Y). 
A behavioral A-rewriting system is a triple {S,F,R) where S is a hidden 
signature, F is a hidden subsignature of A, and R is a set of E-rewrite rules. 

Definition 12. The behavioral (term) rewriting relation associated to a 
behavioral rewriting system TZ is the smallest relation ^ such that: 

1. 9{l) A' 9{r) for each (VF) I ^ r inTZ and 6: Y ^ Tx'(A); 

2. ift^ t' and sort{t,t') G V then a{W,t) ^ a{W,t') for all a G Der{E) and 
all appropriate variables W; and 

3. if t ^ t' and sort{t,t') G H then 5{W,f) ^ 5{W,t') for all S G F and all 
appropriate variables W . 

When TZ is important, we write instead of^. 
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Behavioral rewriting applies a rule to a hidden redex if only behavioral^ opera- 
tions occur on the path from that redex towards the root until a visible sort is 
found; if no visible operation is found, rewriting is still allowed if all operations 
on the path from the redex to the root are behavioral. We can formulate an 
equivalent definition of behavioral rewriting with the following: 

Proposition 3. t ^ t' iff there is a rewrite rule (VF) I ^ r in R, a safe 
S-context 7 , and a substitution 9 such that t = and t' = ffO{r)]. 

Behavioral rewriting is implemented in CafeOBJ [ 6 ] and BOBJ [10]. Confluence 
and termination of behavioral rewriting are interesting subjects for research, 
but we do not focus on them here, except to notice that termination of ordinary 
rewriting produces termination of behavioral rewriting, because ^ is a subre- 
lation of the usual term rewriting relation; therefore any termination criterion 
for ordinary rewriting applies to behavioral rewriting. Many classical results also 
generalize: 

Proposition 4. If TZ = {S,r,R) is a behavioral S-rewriting system and B = 
{S,r,E) is its associated behavioral specification, i.e., if E = {(VF) I = r \ 
(VF) I ^ r € R}, and if ^ and =j^q are the behavioral rewriting and equa- 
tional derivability (using the first five rules in Theorem 2) relations on TZ and 
B, respectively, then 

^ — =Eq ’ * * 

2. If ^ is confluent then =pjq = and 

3. If ^ is canonical then t =pjq t' iff bnf^ff) = bnffft'), where bnff{u) is the 
behavioral normal form of a E-term u. 

We now extend behavioral rewriting to take account of special contexts, for use 
in the algorithm of the next section: 

Definition 13. is defined for behavioral rewriting systems extended with the 
special sorts b and operations [_], by extending ^ minimally such that if[t] [C] 
then [y{t,W)] [y{t' ,W)] for each special context (see Definition 8). Given a 

behavioral rewriting system TZ with its associated behavioral specification B, let 
bnf^{t) denote the normal form of a term t under the rewriting relation 

Soundness of follows from Proposition 4 and soundness of the Special Context 
rule (Theorem 2, which also says what we mean by soundness in the context of 
the special sort b and operations [_]). 

5 The C4RW Algorithm 

A simple way to automate behavioral reasoning is just to behaviorally rewrite 
the two terms to normal forms, and then compare them, as suggested by Proposi- 
tion 4. Although this is too weak to prove most interesting properties, the c4rw 

^ We recommend declaring as many operations as possible behavioral, and in partic- 
ular, all congruent operations [20]; those who don’t like this may substitute “behav- 
ioral or congruent” for “behavioral” through the rest of this paper. 
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algorithm combines it with circular coinduction and case analysis in a harmo- 
nious and automatic way, for proving hidden properties, which are usually the 
most interesting and difficult. Intuitively, to prove a hidden conditional equation 
(VX) t = t' ±i c, one applies the circular coinduction rule and tries to prove the 
resulting apparently more complex properties. The algorithm maintains a list of 
goals, which is reduced when a goal is proved, and is increased when new goals 
are generated by the coinduction or case analysis rules. The algorithm termi- 
nates when either a visible proof task cannot be proved, in which case failed is 
returned, or when the set of goals becomes empty, in which case true is returned. 
The proof goals are stored in bracketed form to control their application. 

We first describe the main procedure, c4rw, which has a set, Q, of hidden 
equations with visible conditions as initial goals. The loop at step 1 processes 
each goal in Q, and terminates when Q becomes empty or when a failed is re- 
turned at step 9. Step 2 removes goals from Q, and step 3 puts them (in frozen 
or bracketed form) into the specification. These frozen versions of goals can then 
be used in subsequent proofs, much as induction hypotheses are used in induc- 
tive proofs by induction, but “at the top” instead of “at the bottom” (see the 
discussion in Section 3). 



procedure c4rw(;B, Q) (can modify its 13 and Q arguments) 

INPUT: - a behavioral theory B = (17, F, E) 

- a cobasis A oi B 

- a set Q of hidden 17-equations of visible conditions (in bracket form) 

OUTPUT: true if a proof of ^ ^ is found; otherwise failed or non-terminating 

1. while there is some e := (VX) [t] = if c in ^ do 

2. let Q be Q — {e} 

3. let B be B{e} 

4. let 0 be a substitution on X assigning new constants to the variables in c; 
add the new constants to B 

5. let be the set of visible ground equations in 0{c) 

6. for each S E A appropriate for e do 

7. if ProveEq(B, W)]), W)]), d{c), £;,(„)) ^ true 

8. then if 6 is an attribute then return failed 

9. else let ^ be ^ U {(VX, W) bnf^{[S{t, hF)]) = bnfjg{[S{t\ VF)]) if c} 

10. endfor endwhile 

11. return true 



Steps 4 and 5 prepare for applying the Circular Coinduction rule. Since it 
generates new conditional proof obligations, each with the same condition, and 
since all these will later be subject to Condition Elimination, for efficiency step 4 
first generates new constants for the variables in the condition, and then step 5 
calculates the set of ground unconditional equations that will later be added to 
the specification by Condition Elimination. Steps 6-11 apply the Circular Coinduc- 
tion rule. For each appropriate operation 6 in the cobasis A, step 7 tries to prove 
that [5{t,W)] equals [i5(t',lF)], by first applying the Condition Elimination rule 
(,B{i?e(t,)}), then using behavioral rewriting on both terms, and finally checking 
equality with the procedure ProveEq, which is explained below. Notice that 
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behavioral rewriting can use the frozen equation; more precisely, the frozen equa- 
tion is applied (as a rewrite rule) if the term W)] reduces to an instance 
(via a substitution) of [t] (of course, if the condition holds). This is equivalent to 
saying that the equation (VX) t = t' ±fc can only be applied on the top when 
reducing the terms S{t,W) generated by circular coinduction. If the procedure 
ProveEq does not return true, meaning that it was not able to prove the two 
6-sorted terms equal, then the algorithm returns failed if the cobasis operation 
was visible (step 8), or else it adds a new (hidden) goal to G, as required by the 
Circular Coinduction rule. 

We next discuss the procedure ProveEq, which takes as arguments a be- 
havioral specification, 6-sorted terms u,u', and the ground version of the equa- 
tion’s condition (its variables replaced by new constants) together with the set of 
ground equations it generates; it returns true, or failed, or loops forever. Step 
1 returns true if the two terms are equal, and steps 2-6 check whether any case 
statement in B can be applied. Remember that the Case Analysis rule requires 
a substitution of the variables in the case statement into terms over the vari- 
ables of the equation to be proved, and that we use a pattern in BOBJ which 
automatically selects a substitution r (step 3). Step 4 checks whether the case 
analysis L can show the two terms equivalent, using the procedure Case Anal- 
ysis described below. If no case sentence can show the terms u,u' equivalent, 
then step 7 returns failed. 

procedure ProveEq(R, u, u' , 0(c), Eg(^^)) 

INPUT: - a behavioral theory B 

- two terms u and u' of visible sort b 

- a ground visible condition 0(c) and its ground equations Eg^^) 

OUTPUT: true if a proof of B |= (Vvar(u,u')) u = u' ii 0(c) is found; 

otherwise failed or non-terminating 

1. if u = u' then return true 

2. for each case sentence (p, L) in B do 

3. if p matches a subterm of u or u' with substitution r 

4. then if CaseAnalysis(L, r, R, u, u', 6>(c), Ae(c)) 

5. then return true endfor 

6. return failed 



The CaseAnalysis procedure just applies the Case Analysis rule. For each 
case C, it first adds a new constant for each variable in C (step 2) and gener- 
ates the ground equations of C (step 3). Steps 4-5 check the top derivation in 
the CaseAnalysis rule: step 4 checks whether the condition of the equational 
sentence became false (to keep the presentation short we have not introduced 
an inference rule for false conditions), and if this is not the case, then step 5 
recursively checks whether u and u' became equal under the new assumptions; 
since this recursion may not terminate, some care may be required when defining 
case statements. 
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procedure CaseAnalysis(L, t, u, u' ^ 

1. for each case C in L do 

2. let T) be r with a new constant substituted for each variable in C 

3. let E^r){C) the set of visible ground equations in '^?(C) 

4. if fera/e{B^(P)}(0(c)) ^ false and 

5. ^true 

6. then return failed endfor 

7. return true 

To take full advantage of behavioral rewriting, one must carefully orient the 
new equations added at step 10 as rewrite rules; the success of c4rw depends on 
how well this is done. The following orientation procedure has worked very well 
in practice: If both directions are valid as rewrite rules (i.e., both sides have 
the same variables), then orient so that the left side has less symbols than the 
right side; if the terms have the same number of symbols, then orient with right 
side smaller than the left side under the lexicographic path ordering induced 
by the order in which operations are declared. The following is a more precise 
description: 

1. if only one direction is valid, then use it; 

2. if both directions are valid, but one of 6{t, W) and 5{t' , W), say ti has more 
symbols than the other, say then add the rule [ti] — >■ [^ 2 ] if c to Q-, 

3. if both directions are valid and have the same number of symbols, but t\ 3> 
t 2 , then add [ti] — >■ [t^] if cto Q, where is the lexicographic path ordering 
induced by the operation declaration ordering, defined by 

fUi,...,tn) ti for all 1 < i < n, 

> /(si,...,s„) if (ti,...,t„) > (si,...,s„) in lexicographic 

order, 

f{ti, ...,t„) > g{si ) if / > g and f{ti, ..., t„) > Sj for all 1 < t < 

m. 

Theorem 3. The procedure c4rw described above is correct. More precisely, for 
any behavioral theory B and any correct cobasis A for it, c4rw(,B, A, Q) returns 
true if and only if B ^ G- 

Proof. Since c4rw is just a discipline for applying the behavioral inference rules, 
its correctness follows from Theorem 2. 

Example 3. An invalid coinduction This shows how the unrestricted use of circu- 
larities can give rise to incorrect results. Notice that odd is a congruent operation 
not in the cobasis, which for streams, consists of just head and tail, 
bth FOO is pr STREAM [NAT] . 
op odd_ : Stream -> Stream . 
var S : Stream . 
eq head odd S = head S . 
eq tail odd S = odd tail tail S . 
ops a b : -> Stream . 
eq head a = head b . 
eq tail a = odd a . 
eq tail tail b = odd b . 
end 

cred odd b == 



a . 
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The “proof” goes as follows, using the cobasis {head, tail} as usual: 
head odd b == head a 
follows by behavioral reduction, and 
tail odd b == tail a 
reduces to 

odd odd b == odd a 

which follows (illegitimately) by applying the circularity inside the context odd. 
To show that the result really is false, one may take a to be the stream which 
begins with 001 and then has all 2s, and b to be the sequence which also begins 
with 001, and then continues with all Os. (Of course, BOBJ’s c4rw algorithm 
also fails to prove it; in fact, it goes into an infinite loop during behavioral 
rewriting when given this input.) □ 

Example 4- Two definitions of Fibonacci, plus evenness Here is a not so trivial ex- 
ample. The goal of the first invocation of c4rw via cred is to show equality of 
two different definitions of the stream of all Fibonacci numbers; for this, the al- 
gorithm generates an unending stream of new circularities, thus illustrating how 
c4rw itself can fail to terminate. The zip function interleaves two streams. The 
second goal involves both a conditional goal and a circularity, and it succeeds, 
bth 2FIBD is pr STREAM [NAT] . 

ops fib fib’ : Nat Nat -> Stream . 

vars N N’ : Nat . vars S S’ : Stream . 

eq head fib(N, N’) = N . 

eq tail fib(N, N’) = fib(N’, N + N’) . 

eq head fib’ (N, N’) = N . 

eq head tail fib’ (N, N’) = N’ . 

op zip : Stream Stream -> Stream . 

eq head zip(S, S’) = head S . 

eq tail zip(S, S’) = zip(S’, tail S) . 

op add_ : Stream -> Stream . 

eq tail tail fib’ (N, N’) = add zip(fib’(N, N’), tail fib’(N, N’)). 
eq head add S = head S + head tail S . 
eq tail add S = add tail tail S . 
end 

cred fib(N, N’) == fib’(N, N’) . 

bth EVENNESS is pr 2FIB0 + STREAM [BOOL] * (sort Stream to BStream) . 
op all-true : -> BStream . 
eq head all-true = true . 
eq tail all-true = all-true . 
op even?_ : Nat -> Bool . 
op even?_ : Stream -> BStream . 
vars M N : Nat . var S : Stream . 
eq even? 0 = true . 
eq even? s 0 = false . 
eq even? s s N = even? N . 
eq head even? S = even? head S . 
eq tail even? S = even? tail S . 

eq even? (M + N) = true if even?(M) and even?(N) . 
end 

cred even? fib(M, N) == all-true if even? (M) and even?(N) . 
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The last equation is really a lemma that should be proved by induction; it is 
needed in the proof that if fib is given two even arguments, then all its values 
are even. □ 

Example 5. Two definitions for iteration The goal is proving equivalence of two 
ways to produce a stream of increasingly many copies of a function applied to 
an element. 

bth MAP-ITER [X :: DATA] is pr STREAM [X] . 
ops (iterl_) (iter2_) : Elt -> Stream . 
var E : Elt . var S : Stream . 
eq head iterl E = E . 
eq tail iterl E = iterl f E . 
eq head iter2 E = E . 
eq tail iter2 E = map iter2(E) . 
end 

cred iterl E == iter2 E . 

The c4rw algorithm generates two circularities, one of which is applied in a 
special context, i.e., not at the top, in fact, under map. Hence this example 
actually requires special contexts. □ 



6 Conclusions and Future Research 

We believe that the c4rw algorithm, especially with its use of special contexts, 
is the most powerful algorithm now available for proving behavioral properties of 
complex systems. However, much can be done to improve it. First, the conditions 
for contexts to be special in Section 3 are only the beginning of what could be 
a long journey, parallel to the one followed in research on automatic induction 
algorithms. In fact, it would probably be useful to combine the c4rw algorithm 
with some automatic induction methods. In any case, we will consider more 
powerful conditions for special contexts in future publications. 

Another topic that seems worth exploring is adding conditions to case state- 
ments; the idea is that after the pattern is matched, the case split would only 
be applied if the condition is satisfied. This could make the application of case 
splits more precise, as well as reduce the computation needed for some large 
examples. 

Finally, more should be done on the duality between induction and circular 
coinduction. In particular, since we are talking about sophisticated algorithms 
that generate new hypotheses, not just about basic forms of induction and coin- 
duction, the very notion of duality may need some careful explication. 
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Abstract. We present a proof-calculus for architectural specifications, 
complete w.r.t. their generative semantics. Architectural specifications, 
introduced in the Casl specification language, are a formal mechanism 
for expressing implementation steps in program development. They state 
that to implement a needed nnit, one may implement some other units 
and then assemble them in the prescribed manner; thus they capture 
modular design steps in the development process. We focus on develop- 
ing verification techniques applicable to full Casl architectural specifica- 
tions, which involves, inter alia, getting around the lack of amalgamation 
in the Casl institution. 



Introduction 

The formal development of a program consists of three phases: writing a require- 
ments specification, implementing it, and proving the correctness of the imple- 
mentation with respect to the specification (see [ST97]). Architectural specifica- 
tions [BST99] are meant to be a tool aiding the developer in breaking down the 
implementation task into independent subtasks. These subtasks can be either 
further broken down, or directly coded in a chosen programming language. The 
benefits of dividing a programming task into independent subtasks are obvious: 
work on parts of the project can proceed in parallel, the project as a whole is 
easier to maintain and comprehend. Also, the correctness proof can now be con- 
structed from the correctness proofs for the individual subtasks and a correctness 
proof of the subdivision (i.e., architectural specification) itself. 

Our goal is to provide one crucial ingredient necessary for architectural spec- 
ifications to be used in practice in the formal development of software, namely 
verification of their correctness. What we do is reduce the correctness problem 
to the problem of proving semantic consequence in an institution (usually the 
underlying institution of the architectural specification at issue) . 

In Sect. 1 we define the syntax and formal semantics of architectural specifi- 
cations in an institution-independent fashion. In Sect. 2 we then devise a calculus 
for proving properties of architectural specifications and state its correctness and 
completeness w.r.t. a generative semantics. This calculus in many respects builds 
on what has been presented in [HofOl]. 
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Sect. 3 and 4 (together with Sect. 6) form the novel part of the paper. Here, 
we develop techniques for discharging proof-obligations which arise when using 
the proof-calculus of Sect. 2. These techniques are institution-independent, i.e., 
they work in any institution having certain, abstractly formulated, expressibility 
properties. To extend the applicability of these techniques to institutions without 
amalgamation, a representation of the institution of interest in some “better” 
institution is introduced. 

In Sect. 5 we define the full Casl logic [CASL00,CASL], including subsorting 
and structured specifications, and construct a representation of this logic in a 
many-sorted logic. Finally, in Sect. 6 we prove that this many-sorted logic and 
the used representation of Casl have all the properties required in order to apply 
the techniques presented in Sect. 3 and 4. 

1 Preliminaries 

Some notation: by / [a/x] we denote the function which extends / with the 
mapping x >->■ a; at the same time, if A is a syntactic object, then X[B/A\ 
substitutes all As in X by Hs; for any notion Af, we write Af* for the same 
notion applied to tuples. 

The definition of architectural specifications will be parametrized by an un- 
derlying logical system, formalized as an institution (see [GB92]). An institution 
I is a quadruple {Sig, Mod, Sen, ^), where: 

— Sig is a category of signatures] 

— Mod : Sig°P — >■ CAT is a functor into the quasi-category of all categories; 

— Sen : Sig — >■ Set is a functor into the category of all small sets (we sometimes 

drop the functoriality requirement); 

— 1= is a family {|=i?}i; 60 b(Sig)> where \=s is a relation on Mod(A) x Sen{S). 

These data are subject to the so-called satisfaction condition, i.e., for any cr : 
A — >■ Z\ in Sig, (f G Sen(X) and M G Mod(Z\) the following equivalence holds: 

M |=/i Sen{a){4>) 4=^ Mod(CT)(M) \=^ (j) 

Objects of Mod(A) are called E-models and elements of Sen{E) are called 
E-sentences. We usually denote the functor Mod(cr) by -\a and call it the (a-) 
reduct. If N\a- = M, then iV is a a-extension of M (and M is a -extendible) . For 
any cr : A — >■ Z\ in Sig and (p G Sen{E), by <j{4>) we denote Sen{a){(p) and 
we call it the translation of p along a. We will overload the symbols Mod and 
\= as follows. For any set of A-sentences, Modi;(^) denotes the class of all 
A-models satisfying all sentences from <P. If S' is a set of A-sentences, then we 
write <P \=E ^ if Modi;(^) C Modi;(!F). 

By Pres(I) we denote the category of presentations, i.e., pairs (A, <P), where 
is a finite set of A-sentences, a morphism a : {E,<T) -G (A, S') being a signature 
morphism a : E ^ A such that cr(<?) \=a 'A. By Sig[J\ and Ax[_] we denote the 
respective components of a presentation. 
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ASP ::= units UDi . . . UDn result UE 
UD A : USP 

UE tT \ X A: SP»T 

T :;= A I A{T) \ T and T \ reduce T by a \ let A = T inT 

Fig. 1. Language of architectural specifications. 



We parametrize the definition of architectural specifications by an underlying 
institution I = {Sig, Mod, Sen, and a subcategory of Sig called the inclusion 
subcategory, which we require to be a partial order on the objects of Sig. An 
inclusion of S into A is denoted If this inclusion exists, we say that S is 

a subsignature of A. The language of architectural specifications is described by 
the grammar in Figure 1 (here, the As come from an infinite set of identifiers, 
the trs are signature morphisms in I, and the SPs are objects in Pres(I); USPs 
are introduced below). 

Syntactic differences aside, this language of architectural specifications differs 
somewhat from what is used in Casl. On the one hand, the reduct is more re- 
strictive in Casl. On the other hand, we have disallowed a number of constructs 
available in Casl: multi-parameter units, unit definitions, fitting morphisms in 
applications, declarations with imports, and translation. Except for the imports, 
this does not constitute a big difference, it just makes the analysis and presen- 
tation more clear. Also, we have chosen our specifications to be presentations. 
As we will see in Sect. 5, this is not a real restriction either, since structured 
specifications fit well into such a framework. 

In order to introduce a formal semantics of architectural specifications, we 
need a few definitions. A parametric signature is a pair PS = {S, A) such that 
A" is a subsignature of Z\. A unit signature US is either a (regular) signature or 
a parametric signature. A parametric unit over a parametric signature (A, A) is 
a partial function U from Mod(A) to Mod(Z\) which is persistent, i.e., for any 
M G dom([7) we have A(M)|t^ ^ = M. A unit over a unit signature is a model 
over that signature, if it is a (regular) signature, or a parametric unit over that 
signature, if it is a parametric signature. A unit specification USP is either a 
presentation (S,<P), with |C/5P] = Modx'(f^), or a parametric unit specification 
(S,<P) — >• (Z\,!F), where A is a subsignature of A, with |C/SP] being the class 
of all parametric units U over (S,A) such that dom([/) = Modi;(^) and for 
all M G dom(A), U{M) G Mod^(if'). A static environment (5 is a pair {B,P), 
where B maps identifiers to signatures and P maps identifiers to parametric 
signatures. The domains of B and P are required to be finite and disjoint. A 
unit environment fitting a static environment {B,P) is a map e, sending any 
identifier X G dom(A) to a model over B{X) and any identifier X G dom(P) 
to a parametric unit over P{X). A unit context fitting a static environment 5 is 
any set E of environments fitting 6. A model function of type {E, A) is a total 
function F from the context E into Mod(A). Unit functions of type (E,US), 
denoted UF, are defined analogically. 

To deal with the and-construct, we need two notions. First, we define the 
sum of signatures A, A to be their least upper bound P = S U A with respect 
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to the inclusion order, if it exists. Then for any models M over S and N over 
A we define their amalgamation, denoted M (B N , to he a, T-model P satisfying 
^ P\t,A,r = -^5 if if exists and is unique. Models are called 
amalgamahle if their amalgamation exists. 

We use the natural semantics style, with judgments written __ h __ [> 

We always implicitly add premises stating that objects denoted by <5 are static 
environments, in any pair 6, E, E fits S, etc. 

The semantics in Fig. 2and 3 assigns: 

— to a unit declaration, a static environment S and a unit context E fitting S; 

— to a term, given a static environment <5 and a unit context E fitting S, a 
signature E and a model function F of type {E, E); 

— to a unit expression, given a static environment S and a unit context E fitting 
S, a unit signature UE and a unit function UF of type {E, UE); 

— to an architectural specification, a static environment S, a unit signature UE 
and a unit function UF of type {dom{UF), UE), where dom{UF) fits 5. 

This semantics, though considerably simplified, is consistent with the formal 
semantics of Casl, found in [CASLOO]. 

2 Proving Properties of Architectural Specifications 

An architectural specification describes the decomposition of a programming 
task. This may be expressed by a statement of the form h ASP :: USP, which 
says “ASP describes a correct procedure of building a unit U £ |C/SP]” . This 
means that, first of all, the procedure itself is correct, i.e., ASP has a denotation 
S, UE, UF; and, second, the procedure gives the required result, i.e., any unit in 
the image of UF is in |17SP] . 

A context consists of a finite number of declarations of two types: 

— A :i; where {E,<P) is a presentation; we then say that A £ dom(P) and 
P(A) = A, 

— <j : A^ B, where P(A) = dom(cr) and P{B) = cod(cr). 

A parametric context Ppar consists of a finite number of declarations of the form 
A '-s^A 'P ^ 'P, where {E, E) -A {A, E) is a unit specification. For both kinds of 
contexts, if Pi and P 2 coincide on the intersection of their domains, then Pi UP 2 
is defined naturally. 

We say that a model family {Mx}xedom(r) is consistent with a context P, 
written {Mx}xedom(r) h E, if: 

— A in P implies Mx £ Mod 2 ;(P), 

— cr : A — >■ y in P implies Mx = My\a- 

A calculus for deriving statements h ASP :: USP is given in Fig. 4 and 5. This 
calculus is correct, but its completeness depends on additional assumptions. A 
proof by induction over the structure of (the result-term of) the architectural 
specification (see [HofOl] for a few further hints) is omitted. 
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h [/Di > ... hUD„> 

5 = {Bi U • • • U Bn, PiU ■ ■ ■ U Pn) is an n-element static environment 
if = { ei U • • • U 6n I Cl £ El, . . . ,6n £ En } 

5,E\-UE> UE, UF 

h units UDi . . . UDn result UE > S, UE, UF 




\- A: {E,<P) \> E,0),{ M \ Mg Modsi-P) } 

A: SP ^ SP' > {0, A ^ Sig[SP] Sig[SP']), {A^U \U elSP^ SP'] } 




{B,P),EhT> E,F 
{B,P),E\- tT > E,F 



{B[E/A],P),{e[M/A] | e G P, M e Mods{P)} h T > A, F 
P is a subsignature of A 

for all e G P and M G Modi;(<Zi), P(e [M/A])\,^^^ = M 

(P,P),Ph AA ■.{E,P)»T> 

(E, A), Xe€E-XM € ModsiP) ■ P(e [M/A]) 




A G dom(P) 

(P, P), P h A > P(A), Ae G P • e(A) 

A G dom(P) and P(A) = {E, A) 
(P,P),PhP>r,P 
for all e G P, F{e) G dom(e(A)) 

(P, P), P h A(T) > A, Ae G P • e(A)(P(e)) 

( 5 , P h Ti > Pi, Pi and S, E \- T2 t> P2, P2 
A = Pi U P2 

for all e G P, Pi (e) © P2 (e) exists 
5 , P h Ti and T2 [> A, Ae G P • Pi(e) © p2(e) 

Fig. 2. The semantics of architectural specifications. 
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(5, S h T > r', F 

5, E \- reduce T by a ■. E ^ S' t> E ,\e £ E ■ E{e)\ 



{B,P),E£T> E,F 
A ^ dom(B) U dom(P) 

{B [E/A\ ,P),{e [F{e)/A\ \e £ E} £ T' > E' ,F' 

{B, P), F h let A = T in T' > F', Ae e F • F'(e [F{e)/A]) 

Fig. 3. The semantics of architectural specifications, continued. 



Theorem 1. For any architectural specification ASP and unit specification USP, 
if h ASP :: USP, then h ASP \> S,UE,UF for some S,UE,UF such that 
UF{e) £ |C/>SP] for all e G dom(FF). □ 

Theorem 2. For any architectural specification ASP and unit specification USP, 
if h ASP t> S,UE,UF for some 6,UE,UF such that UF{e) £ |C^>SP] for all 
e G dom(FF) and: 

— no parametric unit in ASP is applied more than once, and 

— no parametric unit declaration in ASP is inconsistent, 

then h ASP :: USP. □ 

The first of the requirements of Th. 2 effectively means that our calculus is 
complete w.r.t. a generative semantics, i.e., one in which two applications of the 
same parametric unit to the same argument may yield different results (the se- 
mantics of Fig. 2 and 3 is non-generative, but both coincide if no unit is applied 
more than once). There are also methodological reasons for choosing a genera- 
tive semantics (e.g., SML is generative [Pau96]; for a discussion of generativity 
see [HofOl], Sect. 4 in fine). The second of the above requirements is purely 
technical and of little importance, since an inconsistent declaration makes an 
architectural specification useless in any case. 

Of course, the above theorems do not solve our problem fully, since we still 
need some method for discharging the following types of premises: 

type I “for any model family {Mx}jfedom(r) H have Ma \=r(A) , and 

type II “for any model family {Mx}xedom(r) 1= Ma © Mb exists”. 

(the premise (j) \=x is merely a special case of a type I premise). 

If the signature category has coproducts, then a type II premise may be 
transformed into a type Ila premise: “for any model family {Mx}xedom(r) H 
F, Me has a unique /^-extension” , where rj is the universal morphism from a 
coproduct F{A) U F{B) to the sum F{A) U F{B). 

3 Type I Premises 

In this section we develop a technique for checking premises of the form “for 
any model family {Mx}xedom(r) h have Ma |=r(T) </>”• K should be 
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h ASP :: USP 



hUDi-.: r^ar,P^ ... h t/_D„ :: 7^" „ T" 
dom(i~'p;jj,) n dom(7^pj,^) = 0 and dom(7^*) n dom(_T.’) = 0 for all 1 < i < jf < n 
Ppar = Ppar U . . . U Pp^r, P = P^ U ■ ■ ■ U P" &nd dom{Ppar) fl dom(r) = 0 
Ppar, r\-UE:: USP 
h units UDi . . . UDn result UE :: USP 



h UD :: Ppar, P 



h A : (r, <7) :: 0, {A <7} h A : {E, <P) {A, E) y. {A -.s^a <P ^ E},0 



Ppar, r\-UE-.: USP 



rpar,r^T::P',A 

for any family {Mx}xedom(r') |= P' , we have Ma \=r'(A) ^ 
Ppar,P^T:-. {E,<P) 

<?o \=s and <1’ \=x ‘^o 
Ppar,ru{A:x‘P}^T :: P',B 
H is a subsignature of P'{B) 
for any model family {Mx}x6dom(r')i © Mb exists 
for any model family {Mx}xGdom(r') \= P' , we have Mb h=r'(s) 'I' 
Ppar, r h AA : (r, <7o) . T :: {E, <P) ^ {P'{B),E) 



rpar,r^T::P',A 



A G dom(P) 

Ppar, P h A :: P, A 

Ppar,PhT::P',A' 

A '.r'(A')^A ^ 7' in Ppar and B ^ dom(_r') 

for any model family {Mx}xedom(r') H we have Ma' |=r'(A') ^ 

Ppar, P ^ A { T ):: P' U {B E, ir'(A')CA '■ A' — >• B}, B 

Ppar, P Ti :: Pi,Ai and Ppar, P \~ T 2 y A, A 2 

A = A(Ai)ur2(A2) 

dom(A) n dom(/ 2 ) = dom(_T) and B ^ dom(A) U dom(/ 2 ) 
for any model family {Mx}xedom(riur 2 ) 1= A U P 2 , Mai © Ma^ exists 
Ppar,r'^ Ti and T 2 :: A U A U {-B :zi 0, tri(Ai)C/i ^ ^1 B, tr 2 (A 2 )C/i ^ ^2 — >-B}, B 

Fig. 4. A proof-calculus for architectural specihcations. 
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rpar^r'rTv.r'.A 
B i dom(r') 

Bpar, r h reduce T by cr : X' — >■ B' {A) :: _T' U {B :s 0,o- : B ^ A\, B 

rpar,r^T r',B 

Bpar, r' U {A -.r'iA) 0, idr'(A) : d ^ B} h T' :: T", E 
A ^ dom(_r') and D ^ dom(_T”) 

Epar, r h local A = T within T' :: r"[D /A],E[D / A] 

Fig. 6. A proof-calculus for architectural specifications, continued. 



noted that this problem (and this applies to type Ila premises just as well) is so 
complex since we are not allowed to assume that the underlying institution has 
logical amalgamation (see below). The reason is the Casl institution lacking 
logical amalgamation. As suggested in [SMTKHOl], to circumvent this problem, 
we represent the underlying institution in a second institution which enjoys the 
logical amalgamation property. In the sequel, we will work with two institutions, 
I = {Sig, Mod, Sen, (=) and V = {Sig' , Mod', Sen', h')- 

An institution I has logical amalgamation if for any context E one may com- 
pute a sink {ax ■ r{X) — >• X}xgdom(r) and a finite set of X-sentences such 
that the set { {M\ax }xedom(r) I M G Modi;(l^) } is equal to the set of all model 
families consistent with E. The pair ({oj(:}y:gdom(r)) ^) is called an amalgamat- 
ing sink. The idea here is that with logical amalgamation we are able to replace 
quantification of the form “for any model family {Mx}x&dom{r) \= T, • • •” by 
“for any model M |=i; with references to Ma in the former replaced by 

in the latter. 

A representation ofl in I' is a triple R = {p, s, to), where: 

— p : Sig — >■ Pres(I') is functor, 

— s : Sen — >■ p; Sig[-]; Sen' is a natural transformation, 

— TO : p°P] Mod' —!■ Mod is a natural isomorphism. 

These data must satisfy the following representation condition for all X G 
Ob(S'tg), M' G Mod'(p(X)), (j) G S'en(X): 

hs*g[p(i;)] ss{4>) ms{M') \=x </> 

The above-defined form of representation is in fact very strong, effectively 
implying that I is a “subinstitution” of I' definable in terms of I'-sentences. 

For any set of X-sentences over I, by Fy;(^) we denote the set Ax[p{E)] U 
ss{d^) of 5'i5[p(X)]-sentences over I'. For any I-context E, by R{E) we denote the 
context obtained by mapping any declaration A \x ‘I’ 'm E to A ■sig[p{x)] 
and any declaration a : A ^ B in E to p{a) : A ^ B. 



Lemma 1. Let E be an 1-context and i? = (p, s, to) : I — >■ I' a representation. 
Then the map taking any model family {Mx}x&dom{r) consistent with R{E) to 
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the model family {mr{x){^x)'\ x^dom(r) is a well defined bijection onto the set 
of all model families consistent with F. □ 

Theorem 3. Assume that i? : I — >■ I' is a representation and that I' has logical 
amalgamation. Then, for any 1-context F with F{X) = Sx for all X G dom(T), 
an amalgamating sink for R{F) may he computed. Moreover, for any such sink 
({'^A:}xedom(r)) ^); for any A G dom(T) and any Ex-sentence 4>, the following 
conditions are equivalent: 

F for any model family {Mx}xedom(r) H have Ma \=Xa 4‘> 

2. ^'^'sTA(.SXAi.4>))- 

Proof. ((1) (2)) Take Q \='^ T>. By definition of amalgamating sink, we have 

{ I X G dom(T) } R{F). Hence, { msx{Q\'Tx) I ^ dom(T) } h 

Thus, by (1), msA{Q\'rA) Hxa This implies that h'sig[p(i:^)] sxa (</>). 
and so Q h's*g[p(i:^)] ta{sea{4>)) as required. 

((2) (1)) Take a model family {Mx}xedom(r) T. Then by the lemma 

(Tfx)}xedom(r) 1=^ ^(T). By definition of amalgamating sink, there exists 
a model Q \='^ T> such that mf}^{Mx) = Q\'tx ^or all X G dom(r). By (2), 
we have Q ht ta{ssa{4>))- We may infer that mfj\{MA) = hs*g[p(i:^)] 

sea{4’), and so Ma \=Sa 4>- bl 



4 Type Ila Premises 

We now develop techniques for checking the second type of premise, i.e., “for 
any model family {Mx}xedom(r) 1 = T, Ma is uniquely Ty-extendible” , where 77 
comes from a certain class £ of signature morphisms. 

We say that in I morphism equalities are expressible if for any a, f3 : E ^ A 
one may compute a finite set <P of Z\-sentences such that for any finite set of 
Z\-sentences Fq we have T>o \=a iff for any M \=a ^0 the equality M\a = M\fj 
holds. We then say that F expresses a = f3. Observe that we require much less 
than M \=a F iff M\a = M\p (such a F would usually not exist). 

Let f be a class of signature morphisms in I and R = {p, s,m) : I — 1 I' a 
representation. Then £ -extendahility is expressible in R if for any rj : E ^ E' 
from £, setting p{E) = (A,F) and p{E') = {A',F'), one may compute: 

1. pairs (q;i,/3i), . . . , {an,Pn), where ai,/3i : Ai ^ A are signature morphisms 

in T, such that for any Z\-model M, M is p(? 7 )-extendible iff M\'^^ = 

• • • > and 

2. a finite set F' of Z\'-sentences such that for any Z\-model N: 

(a) if N has a unique p(? 7 )-extension satisfying F' , then any of its p{rj)~ 
extensions satisfies F' , and 

(b) if N has a p(? 7 )-extension satisfying F' , then it has a unique p(? 7 )-exten- 
sion satisfying F' . 
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We then say that (ai, /3i), . . . , (a„, /3„) and W express rj-extendahility. The idea 
behind this definition is as follows. Condition (1) captures p(r;)-extendability. 
Condition (2) is designed to transform this into unique ? 7 -extendability: point 
(b) ensures unique 77 -extendability, while point (a) checks that W is not overly 
restrictive. 

Theorem 4. Let i? : I — >■ I' be a representation and assume that I' has logical 
amalgamation, £-extendahility is expressible in R and morphism equalities are 
expressible in V . For any 1-context F with F{X) = Sx for all X G dom(T), 
for any A G dom(T) and any rj G £ with dom(? 7 ) = Ea and cod(? 7 ) = A the 
following objects may be computed: 

(A) an amalgamating sink ({rx}xedom(r)) for R{F), 

(B) pairs {a\,j3i),. . . ,(a„,/3„) and a set 'F expressing rj-extendability, 

(C) sets expressing the morphism equalities {a\-,TA = /3i;ta), ..., 

(«„; TA = fin, ta), respectively, 

(D) an amalgamating sink ({crx}xedom(fir'), ^') for RF' = R{F)U{B :sig[p(zi)] 
0, p{rj) : A — >• B}, where B ^ dom(T). 

Moreover, for any such objects, the following conditions are equivalent: 

1. for any model family {Mx}xedom(r) H has a unique rj-extension, 

2. (a) <P \='x and 

(b) K aB{F). 

Proof. ((1) (2a)) Take 1 < i < n and arbitrary M \='^ <P. By (A), we have 

{ I A G dom(T) } K Rin- Thus \ X G dom(r) } h 

F, and, by condition (1), there exists a (unique) model N such that iV|^ = 
toi;^(M|(.^), which implies that mx\{N)\'p(^ri) ~ ^\'ta - This proves that M|(.^ is 
p(? 7 )-extendible, and so by (B) we have 
By (C), this proves that <P \='x 

((1) {2b)) Take any model M \=' d>' . By (D), we have { M\'^^ \ X G 

dom(T') } RF' , and so { M\'^^ \ X G dom(T) } \=' R{F). Hence, we have 

{ iTiSx{M\'ax') I ^ ^ dom(T) } )= T, and, by condition ( 1 ), mi;^(M|(^^) has a 
unique 77 -extension P. 

This implies that M\'^^ has a unique p( 77 )-extension satisfying <P'. First, 
mfi^{P) is such an extension, since w])^(P)|p^^j = mff^{P\p) = rnff^{mxA 
(-T^Icta) = hy the definition of m we have rnfi^{P) G Mod'(p(Z\)). 

Second, if Q|p(^) = M\'cta Q ^ Mod'(p(Z\)), then mxBiQ) is well-defined, 
and mEB{Q)\v = (Qlp(p)) = '^i:a (T f |(,^), so by uniqueness of P we get 

P = rriEBiQ), i-e., <5 = m];^(P). 

Thus, by (B), we may conclude that any p(? 7 )-extension of M\'^^ satisfies F', 
in particular M\'^^ \='^ F' , i.e., M \=' asiF'). 

((2) (1)) Let {Mx}xedom(r) be a model family consistent with P. 

We will first prove that for any 1 < 7 < n we have mff^{MA)\'a^ = ^ija 
{MA)\'fj.. Consider the model family {mff^{Mx)}xedom(r)- K is consistent with 
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R{r), so, by (A), there exists a model Q \='^2 ^ such that for all X G dom(/^) we 
have Q\'rx = Fro™ condition (2a) we infer that Q \='^ for 1 < i < 

n. Now (C) gives us = <5|(3,;r^ and, hence, 

for 1 < f < n. 

From (B) we know that there exists a model N with 

We now prove that N hsig[p(zi)] Define Nx = m'^^{Mx) for X G dom(/^) 
and Nb = N. Then {iVx}xedom(i?r') \=' RR' . Thus, by (D), there exists a model 
Q \=' <!>' such that Q\'„^ = Nx for all X G dom(i?T'). By condition (2b) we 
then have Q \=' crB(iF), and so N = Ng = Q\'^^ \='s^glp(A)] 

By (B) we may infer that there exists a unique model M' G Mod'(»(Z\)) 
such that 

We claim that P = mA{M') is the unique model satisfying P|^ = Ma- 
First, it is well defined, since M' G Mod'(p(Z\)). Second, P\p = mA{M')\p = 
msAi.M'\'p(p)) = wi;^(iV|^(^)) = Ma- Third, for any P with P\g = Ma we have 

'^A^(P)\p{ri) = = ^lp(,,). and by the uniqueness of M' 

we have M' = m~^{P), which means P = mA{M'). □ 

5 The Logic of Casl 

In this section we define the institution of Casl logic and prove some basic 
facts about it (this definition is consistent with what may be found in the Casl 
semantics [CASLOO]). We do this in three steps. 

In step one, we construct the institution Caslq = (S't^o, Modo, S'eno, |=°). 
Its features include multi-sorted first-order logic, both total and partial function 
symbols, predicates, and sort-generation constraints. It is defined as follows: 

— a signature X in Sigo is a tuple (S,TF,PF,P), where: 

• S' is a finite set of sorts, 

• TF = is a family of finite sets of names o/totoZ/wncSon 

symbols, 

• PF = {PFw^s}weS* ,seS is a family of finite sets of names of partial 
function symbols, 

• P = {Puj}u,gs* is a family of finite sets of names of predicates . 

We additionally require that always TF^j^s H PF^j^s = 0. A function symbol 
/ G TFui^s U PFw,s is denoted fw,s- A predicate 6 G is denoted 

— a signature morphism a : {S,TF,PF,P) — >• {S' ,TF' , PF' , P') in Sigo is a 
triple {a^ ,a^ ,a^), where: 

• o"® : S — >■ S' is a function, 

• = {aff ,,}w(zs\ses is a family of functions, aff ,, : U -)> 

T^P(aSY(n,),aS(s) ^ („) (,) preserving the totality of symbols, 

• = {cr^}wes* is a family of functions, with aff ■. P^, ^ P{aSY{wy 
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— for any signature S, Modo(Z') is the category of models having: 

• as models M, functions taking: 

* any sort s in 27 to a non-empty carrier set M[cr, s], 

* any function symbol in 27, where w = si to a partial 

function M[fn, fw,s] '■ M[cr,si] x ••• x M[cr,Sn\ M[cr,s], the 
function being total if fw,s is, 

* any predicate in 27, where w = s\ . . . Sn, to a set M[pr, bw] C 
M[cr, Si] X • • • X M[cr, s„]. 

• as (homo)morphisms h : M ^ M' , families {hs}s^s* of functions hs : 
M[cr, s] — >■ M'[cr, s] such that for any tuple of sorts ic = si . . . s„ in 27 
and any tuple (xi, . . . , x„) € M[cr, si] x • • • x M[cr, s„]: 

* for any sort s and function symbol in if hs{M[fn, fw,s\ 
(xi, . . . ,Xn)) is defined, then so is M'[fn, fw,s]{hsj^{xi), . hs„(xn)) 
and they are both equal, 

* for any predicate b^^ in 27, if (xi, . . . , x„) G M[pr, 5^,], then (xi), 
•• •. hs„{xn)) G M'[pr,b^]. 

— for any signature morphism a = (o"®, , a^) : 27 = (S,TF, PF, F) — >• 27' = 

{S' ,TF' , PF' , P'), the reduct functor -1^ : Modo(27') — >• Modo(27) takes: 

• any model M' G Modo(27') to the model M G Modo(27) defined by: 

* for all sorts s in 27, M[cr,s\ = M'[cr,a^ {s)], 

* for all function symbols f^,s in 27, M[/n, = M'[fn,a{^ ^ 

(/)(<tS)*(u))jCT®(s)]) 

* for all predicates bw in 27, M[pr, 6^,] = M'\pr,a^{b)(^„sp(yg)]. 

• any 27'-homomorphism h' = {7i^,}s'g5' • M' — >■ N' to the 27-homomor- 
phism h = h'\cr : M'\^ -)> TV'I^. defined hy h = 

— for any signature 27, S'eno(27) is the set of all closed first-order formulas, 
with atomic formulas built using variables of sorts in 27, function symbols 
and predicates in 27, and equality. Additionally, triples {Sq,Fq,0), called 
sort-generation constraints, are also in this set, provided that: 

• 0 : 27q — >■ 27 is a signature morphism, 

• Sq is the set of generated sorts, i.e., a set of sorts from 27 q, 

• Fq is the set of constructors, i.e., a set of function symbols from 27 q. 

— for any signature morphism <j : 27 — >■ 27', the function S'eno(cr) : 5eno(27) — >■ 
Seno{E') is defined naturally on first-order sentences and by the rule that 
a{{So, Fq, 9)) = Seno{o-){{So, Fo,9)) = {So,Fo,9; a) on sort-generation con- 
straints. 

— the satisfaction relation M (j) for first-order <j) is defined as normal first- 
order satisfaction, with = interpreted strongly and predicates on non-defined 
values being false. For sort-generation constraints we have M |=*^ (5'o, Fq, 9) 
if for any sq G Sq and any xq G {M\g)[cr, sq] there exists a term to over 
dom(0) of sort sq built using function symbols from Fq and with no variables 
of sorts from S'o, and a valuation vq into M\g such that to under valuation 
vq has value xo. 



Proposition 1. Caslo is an institution. 



□ 
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For any morphism a : S ^ A, the “image” of S is denoted cr(A'), and its com- 
plement A \ a{S). We say that cr is an inclusion if ct : if — >■ a{S) is the identity. 
In the second step we construct the institution Casl< = {Sig< , Mod< , Sen< , 
Here, signatures are additionally equipped with a subsort preorder which, 
on the model level, is interpreted by injective mappings embedding a subsort, 
say Zero, in a supersort, say NonNeg or NonPos. By means of an overloading 
relation it is then ensured that if two function symbols use the same name, say 
/ : NonNeg — >■ Elem and / : NonPos — >■ Elem, then both are interpreted so 
that they “coincide” on the carrier of Zero (the common subsort). The formal 
definition follows: 

— a signature E in Sig< is a tuple {S, TF, PF, P, <) such that {S,TF, PF, P) is 
a signature in Sigo and < is a reflexive-transitive subsort preorder on S' x S'; 
for such a signature the overloading relations and are defined by: 

• fwi,si ~F fw2,s2 if there exist w and s with w <* W\,W2 and si,S2 < s, 

• bwi bw2 if there exists w with w <* W\,W2- 

— a signature morphism a : E = (S,TF,PF,P,<) E' = {S' ,TF' , PF' , 

P', <') in Siq< is a signature morphism a = (a^ , : (S, TF, PF, P) — >• 

{S',TF',PF',P') in Sigo such that: 

• s < s' implies cr^{s) <' cr^{s') for all sorts s, s' in E, 

• fwi,Si fw2,S2 implies (/*)(ct^)*(u>i),(T^(si) ^F '^W2^S2 
{f){< 7 S)-(w 2 ),aS{s 2 ) for all function symbols fwi,si, fw2,s2 in 

• bwi bw 2 implies ( 6 )(ctS)*(«>i) ~f (^)(<t®)*(™ 2) for all predicates 
bwi f byj2 in E . 

— for any signature E = {S,TF, PF, P, <) in Sig<, by we denote the Sigo 
signature {S,TF' , PF' , P'), where: 

• TF^j g = TFyj^s W {ems'<s\w = s' < s} (the embeddings) , 

• PFl„ ,, = PFyj^s W {p'rjs'>s\s < s' = w} (the projections), 

• = Pw W {tns_s'|s' < s = w} (the membership predicates). 

This naturally extends to a functor (_)^ : Sig< — >■ Sigo- 

By E"lb# we denote the presentation (T"^, ^), where consists of the defining 
sentences, which state that: 

1 . an embedding of s into s is the identity, 

2 . an embedding of s into s' is injective, 

3 . the composition of embeddings of s into s' and s' into s" is equal to the 
embedding of s into s', 

4 . a projection of s' onto s is the least right-sided inverse of the embedding 
of s into s', 

5 . a membership predicate ina,s' holds on an element x of sort s iff the 
projection of s onto s' is defined on x, 

6 - if fwi,si ~F fw2,s2i w <* W\,W2 and si,S2 < s, then for any tuple x* of 
elements of sorts w, embedding x* in wi, applying fwi,si and embedding 
that in s gives the same result, as embedding x* in W2, applying fw2,s2 
and embedding that in s, 

7 . if b.u)i b.u)2 and w <* Wi,W2, then for any tuple x* of elements of 
sorts w, embedding x* in wi and checking, whether it is in b^i, gives the 
same result as embedding x* in W2 and checking, whether it is in buj^- 




246 



P. HofTman 



Again, this naturally extends to a functor : Sig< — >■ Pres(CASLo). 

— the model functor Mod< is defined as the composition Modo, 

— the sentence functor Sen< is defined as the composition (_)'^; Seno, 

— the satisfaction relation is defined by M 0 if M (j), for M G 

Mod<(A') and (j) € Sen<{S). 

Proposition 2. The triple Rq eonsisting of: 

— {.)** : Sig< -G Pres(CASLo), 

“ {idsen<(i:)}i;eOb(Sig<) : Sen< — >■ (_)#;S'eno, 

— {idMod<(i:)}i:eOb(Sis<) : Modo Mod<, 

is a representation o/ C asl< in Caslq. □ 

We now present a construction developed in [ST88]. Given an institution I = 
{Sig, Mod, Sen, and a class T> of signature morphisms, define the institution 
of structured specifications over I, denoted Strj)(l) = (Sig, 'M.od, Sen' , |='), by 
structural induction. For any signature S, a sentence in Sen' {S) is: 

— a presentation (A, <?) over I; we define M \='^ if M \=s 

— translate (p by ct, with a \ A ^ S and </> a Z\-sentence over Str^fX)', we 
define M \='^ translate (p by a if M|o- \='^ (p, 

— pi U p 2 , where pi and p 2 are A-sentences over StrxiX)] we define M \='^ 
pi U p 2 M \='^ pi and M \='^ p 2 , 

— derive a from p, where a : S ^ A comes from T> and p is a Z\-sentence 
over StrjyX); we define M \='^ derive a from p ii M has a cr-extension 

N Ki; X 

— free p along cr, with a : A ^ S and p a A-sentence over Strx>{l)', we 
define M \='^ free p along cr if M \='^ p and for any model N \='^ p and 
any homomorphism h : M\a- — >■ N\^ there exists a unique homomorphism 
g : M ^ N such that g\a = h. 

The translation of a 27-sentence p over StrxiX) along a signature morphism 
cr : 27 — >■ Z\ is defined to be translate p by a. 

Now, the full Casl institution, denoted CasLi, is simply S'trx(CASL<), 
where T is the class of all signature morphisms cr, which are inclusions. 

The following proposition allows us to lift representations of institutions to 
representations of structured specifications over them: 

Proposition 3. For any class T> of signature morphisms in I and representa- 
tion R = {p, s,m) : 1 ^ I' the following is a representation R' = {p',s',m') : 
S'frx)(I) — >■ Strxi'X)> where V = {p(cr) | a G V}: 

~ p'{S) = {Szg[p{S)],{p{S)}), 

— m' = m, 
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- s' is defined by structural induction: 

. s'^{{S,<P)) = {Sig[p{S)],^{<I>)), 

• s'^(translate fihy a) = (^translate by p(cr)^ Up(cod(A')), 

• U 02) = s'i;( 0 l) u s'^(02); 

• (derive a from 0) = derive p{a) from 

• s'^(free 0 along a) = free s(,od(^)(0) along p{a). □ 

Let StrCaslq = S'trx(CASLo). The standard representation R = {p,m,s) : 
Casli — >• StrCaslq is the representation obtained via the above proposition 
from the representation Rq : Casl< — >• CasLq. Note that any Casl structured 
specification, as defined in the official semantics, may be easily represented as a 
sentence over Casli; the institution StrCaslq, on the other hand, is equivalent 
to Casl structured specifications in which no subsorting is ever used. 

6 Applying the Theorems to Casl 

In this section we apply Th. 3 and 4 to Casl and the standard representation. 

From [HofOl] (Prop. 1 and Cor. 1) we know that if the signature category is 
finitely cocomplete, the colimits are computable, and the model functor preserves 
finite limits, then the institution has logical amalgamation. The category Sigo is 
indeed finitely cocomplete [Mos98], the colimits being computable. The functor 
Modo preserves finite limits, too (cf. [GB84] for the first-order case). Thus: 

Proposition 4. The institution StrCasLq has logical amalgamation. □ 

The same is of course true for CasLq. However, neither Casl<, nor CasLi have 
logical amalgamation (see [SMTKHOl]), and this is the reason for introducing 
the representation R. 

We now take a look at the assumptions of Th. 4. We will need the following 
auxiliary fact: 

Proposition 5. In the institution StrCaslq isomorphic models are elementar- 
ily equivalent, i.e., they satisfy precisely the same sentences. □ 

Proposition 6. In StrCaslq morphism equalities are expressible. 

Proof. Let a, fl : S ^ Ahe arbitrary signature morphisms. If there exists a sort 
s in if with o;'^(s) /3‘®(s), then let 0 be the sentence false" . Otherwise let 0 

be the conjunction of: 

- “Vx* : {a^)*{w) ■ aifif)(^aSp(w),aS(s){x*) = Pw,sif)iaSp(w),aS(s){x*)" , for 

fw,s 7 

- “Vx* : (a'^)*('u;) • o^(&)(aS).(,„)(a;*) 4=^ /3^(6)(„s).(„)(a;*)”, for in A". 

We claim that for any finite set <Po of Z\-sentences, we have <Pq |=/1 0 iff for any 
M \=A ^0 we have M|q, = M\p. 

The proof “=>” is trivial. For “4=”, take <Po satisfying the premise and let 
M <Po. 
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There exists a model N with all carriers distinct (here we use the non- 
emptyness of carriers), isomorphic to M. By Prop. 5, M and N satisfy precisely 
the same Z\-sentences. Thus N and therefore N\a = N\j 3 . This implies 

that for any sort s in T" A^[cr, o;'^(s)] = iV[cr, /3'®(s)], and so a'®(s) = 

Thus, ^ is a conjunction of sentences, as defined above. We only need to 
prove that this conjunction holds in M. But this is obvious, since M\a = M\fj, 
so for any in S we must have 

which implies that M must satisfy the appropriate element of the conjunction; 
a similar argument applies to predicates. □ 

Let £ be the class of morphisms r] : S ^ S' in CasLi such that rj^ , rj^ and 
rj^ are surjective functions and the subsort preorder in S' is the least preorder 
generated by the ? 7 '®-image of the subsort preorder of S. Note that rj G £ does 
not imply that p(? 7 ) is an epimorphism. We do have: 

Proposition 7. Any universal morphism a : Si U S 2 ^ Si U S 2 in CasLi is 
in £. □ 

Proposition 8. £ -extendability is expressible in R. 

Proof. Let r] : S ^ S' he in £■, set p{S) = and p{S') = {A', <!>'). Let 

9 = p{p) : A = {S,TF,PF,P) ^ A' = {S' ,TF' , PF' , P'). By Cg we denote a 
function constantly equal 0 and with an appropriate domain. 

To prove condition (1) of the definition we now define three families of pairs 
of morphisms: 

— for any sorts s, s' in A such that 9^{s) = 9^{s'), let a, [3 : ({s}, (70,(70,(70) — >■ 
A be such that a takes s to s and [3 takes s to s', 

— for any function symbols fuj,s and /)),/ in A, where w = si . . . s„ and 
w' = s'l ...s'„, such that Off,^{f) = 9^,^^{f'), let a, (3 : ({ti, . . . , t„, to}, Q, 
C(j[{f}/{ti . . .tn, to)], CI 0 ) — >■ 7\ be such that a takes f to f and t^ to Sj, and 
(3 takes / to /' and ti to s' (for 0 < t < n; the tj are chosen distinct), 

— for any predicates b^ and in A, where w = si ... Sn and w' = s'l . . . s'„, 
such that 9f{(b) = 9^,(b'), let a,/3 : ({ti, . . . , t„}, (70, (70, (70[{&}/ti . . . t„j) -)> 
A be such that a takes b to b and ti to Si, and (3 takes b to b' and ti to s' 
(for 1 < t < n; the ti again chosen distinct). 

We claim that a Z\-model M is 6*-extendible iff for all of the above-defined 
pairs {a, (3) we have M\'^ = M|(j. 

The “only if” part is fairly obvious: if we have a Z\'-model N with N\'g = M 
and {a, (3) is one of the above pairs, then, since a;9 = (3-, 9, we have M\'^ = 
{N\'o)L = N\'o.;9 = = {N\'9)\'p = 

For the “if” part, suppose that a Z\-model M indeed satisfies all of the re- 
quired equations. We define a Z\'-model N: 
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— for any sort s' in A', N[cr, s'] = M[cr, s], for any sort s in Z\ with s' = 9 ^{s) 
(since rj € S, such an s must exist), 

— for any function symbol /(],, g, in A', N[fn, ^,] is: 

• M[/n, if w' = s' = 6»‘^(s) and /' = for some 

function symbol fw,s in A, 

• any function of the appropriate type, otherwise, 

— for any predicate h'^, in A' , N[pr,b'^,] is: 

• M[pr, bw] if w' = { 9 ^)*{w) and b' = 9 ^{b) for some predicate b^ in A, 

• the empty relation, otherwise. 

This definition is correct precisely because for any of the above pairs of mor- 
phisms (a,/3) we have M\'^ = M\'p. Directly from the definition it follows that 
M = N\'g. This proves condition (1) of the definition. Thus, we move to condi- 
tion (2). 

For any sorts s,< in A', an s,t-path <7 is a sequence si < • • • < s„ (n > 
1) such that s = 0‘®(si), t = 9 ^{sn) and that Si = sj, i < j imply i = 1, 
j = n. For any Z\'-term T of sort s, by q{T) we denote the “composition-of- 
embeddings” term em0S!^g^_^)^0S(^g^y. . .em0si^g^)^0S(^g^yT) . . .). These notions 
are further extended to tuples w of sorts and q* of sequences (the sequence at 
each coordinate may be of different length). Observe that since rj G £, for any 
sorts s <' t in A' there exists an s,t-path. Also, the set of all paths is finite. 

As the set <F' from condition (2) we take 0(^) plus: 

(A) for any s,t-paths qi and q2, the sentence “Va; : s ■ qi{x) = q2{x)” , 

(B) for any in any ■u;,wi-paths q^, w,'u;2-paths q^ si,s- 

path qi and S2,s-path <72, the sentence “Vx* : w ■ qi{fwi,si{qi{x*))) = 
92 (/«,2, 52(92(2:*)))”, 

(C) for any b^i bw2 in S', any w,'u;i-paths 9* and w,W2-paths 92, the sen- 
tence “Vx* : w • 6^,1 (9i (a;*)) 4=^ 6^)2 (92(2:*))”- 

Let be a Z\-model. We will prove that: 

1. if iV has a 0-extension satisfying ^', then any of its 0-extensions satisfies W', 

2. if iV has a 0-extension satisfying !F', then it has a unique 0-extension satis- 
fying <!>' . 

Observe that by definition of 'F' , for Z\'-models P, Q, if Pj'^ = Qj^, then P \='^, 'F' 
iff Q \='^, W'. Also, 9>' Now, if N' <F' and N = Wj'^ = iV"|'g, then 

N' If' and N'\'0 = W'j'^, hence N" \='^, <F' . This proves point (1). 

As for point (2), take any model N and its 0-extension N' satisfying 'F'. 
Define a Z\'-model M' as follows: 

— carriers and function symbols (embeddings, etc., inclusive) and predicates in 
0(Z\) are interpreted in M' as in N', 

— for any embedding ems<t in A' \ 9 {A) we set M'[fn, enis<t] = 

= N^'[/2i,eTOgs(g^)<es(s2)];...;iV'[/n,emes(s„_^)<es(s„)], where 9 = Si < 
• • • < s„ is an s, t-path, 

— for any projection prjt>s in A' \ 9 (A) we set M'[fn,prjt>sj to be the least 
right-sided inverse of M'[fn, ems<t], 
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— for any predicate ius^t in \ we set M'[pr,ins^t] = {a; G M'[cr,s] \ 

M'[fn,prjs>t]{x) is defined }. 

The fact that N' satisfies the sentences from point (A) ensures that this definition 
is correct. It is also clear that M' is a 0-extension of N . We now check that 
M' \='^, <P'. 

Defining sentence no. 1 (defining sentences have been introduced in the pre- 
vious section) holds, since all self-embeddings are in 9{A). Defining sentences 3, 
4 and 5 hold by definition of M' . Sentence 2 is a consequence of 3 and of the 
original embeddings being injective in N . Sentences 6 and 7 are consequences of 
the sentences from points (B) and (C). 

Since it is obvious that any 0-extension of N satisfying defining sentences 1-7 
is forced to be defined as above, this completes the proof. □ 

Props. 4, 6, 7 and 8 allow us to state the following: 

Corollary 1. Theorems 3 and 4 apply to Casli and the standard representation 
R: Casli StrCaslq. □ 

Actually, even more may be said. The cited propositions together with Theo- 
rems 3 and 4 define define an algorithm, which reduces the problem of checking 
whether a Casli architectural specification has a denotation (i.e., is correct), to 
the problem of proving semantic consequence in the StrCaslq institution, that 
is, in the institution of structured specifications over multi-sorted Casl. This 
statement is somewhat weakened by the fact that, for this reduction to work, 
the architectural specification at issue must contain no inconsistent parametric 
unit declarations and no parametric unit in it may be applied more than once. 

This algorithm is of particular value, because proving semantic consequence 
between structured specifications has gained a lot of attention; recent papers to 
be mentioned include [BCH99,Borz98,MAH01]. 

7 Conclusion 

In this paper a system - correct and complete w.r.t. a generative semantics 
- for proving properties of architectural specifications has been presented. Of 
course this completeness is relative to the calculus used for proving semantic 
consequence. This system is general enough to include the full Casl logic, even 
though it does not enjoy the amalgamation property. 

This work builds on the work of [HofOl]. There, techniques for the rela- 
tively simple case of first-order logic were introduced. Here, we provide ab- 
stract, institution-independent formulations of needed properties and of theo- 
rems. Moreover, it is proven that the full Casl logic satisfies those properties, 
thus giving us a verification algorithm for Casl architectural specifications, and 
at the same time showing to what a wide scope of logics our techniques apply. 

It should, however, be borne in mind, that the algorithm of [HofOl] was 
complete w.r.t. a non-generative semantics, while the algorithm presented here 
is complete w.r.t. a generative semantics (a generative semantics easily reduces 
to a non-generative one). 
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A clear aim is to get all the advantages of the current approach while re- 
taining completeness w.r.t. a non-generative semantics, and thus fully solve 
the verification problem for Casl architectural specifications. This would also 
require taking a closer look at the remaining Casl architectural constructs 
(imports may cause additional trouble). What might also be interesting is us- 
ing a representation into a different institution, namely that of enriched Casl 
[SMTKH01,SMT01,SMTKH]; this way, one would not remove any information 
from specifications, as is the case with the standard representation (in enriched 
Casl a subsort category replaces the subsort preorder). 
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Abstract. Petri nets and Algebraic High-Level Nets are well-known to 
model parallel and concurrent systems. In this paper, we introduce the 
concept of Algebraic Higher-Order Nets, which allow to have dynamical 
tokens like graphs or (ordinary low-level) Petri nets. For this purpose, we 
specify graphs and Petri nets in the higher-order algebraic specification 
language HasCasl such that graphs and Petri nets become first-class 
citizens, i.e. members of algebras (rather than algebras themselves). As 
an example, we model hospital therapeutic processes by a single higher- 
order net. Individual care plans for each patient are tokens modeled by 
low-level nets. 



1 Introduction 

Petri nets are well established to support the modeling and simulation of parallel 
and concurrent systems and represent a well-known and widely used formalism. 
The combination of algebraic specification and Petri nets, called Algebraic High- 
Level Nets [EPR94,PER95] give rise to a formal and well defined description of 
the dynamic behaviour of concurrent and distributed systems. This formalism 
is adequate in application domains where tokens are simple data elements, that 
is, objects are modeled by basic sorts. In other application domains it is also 
desirable to use higher-order objects as tokens like graphs, which hardly can 
be realized by basic sorts. Furthermore, in the context of Petri nets there are 
interesting applications to consider dynamical tokens, like Petri nets themselves 
[Val98,Val00]. We propose the concept of Algebraic Higher-Order Nets [HofOO] 
to obtain higher-order objects as tokens. Roughly spoken Algebraic Higher- 
Order Nets are Algebraic High-Level Nets, where the algebraic specification is 
an higher-order specification. 

The focus of the paper is on the high modeling capability given by Algebraic 
Higher-Order Nets (AHO-nets). We present an extension of Petri nets includ- 
ing the concept of the higher-order algebraic specification language HasCasl 
[SM02]. We sketch the semantical model of higher-order processes [EHP+02], 
while detailed definitions and resulting theorems are out of scope of the paper. 
Furthermore, we introduce a specification of graphs in HasCasl. But contrary 
to the first-order algebraic approach [EHKP91], where a graph is considered as 
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a two sorted algebra with two unary operations, a graph is related to a higher- 
order type. Petri nets are bipartite graphs, therefore we transfer the specification 
of graphs to Petri nets. The main result of this paper is the specification of Petri 
nets in HasCasl leading to AHO-nets with Petri nets as tokens. On the one 
hand, these higher-order objects can be transported through the system. But on 
the other hand, also the structure of objects can be changed during transition 
firing. This is a new approach in the area of Petri nets. 

The paper is organized in the following way: After a general introduction 
and motivation we sketch the specification of graphs. We give the specification 
of Petri nets and illustrate the main idea of AHO-nets with Petri nets as tokens. 
We apply AHO-nets with Petri nets as tokens to hospital therapeutic processes, 
which is a restricted version of an informal case study as proposed in [Han97]. 
We demonstrate that our approach is adequate in the application domain of 
business processes using higher-order processes as a semantical model. Further 
aspects concerning the data type part like the flexible modification of objects 
are discussed. Finally, we point out the relevance of our construction in other 
application domains like agent modeling. 



2 Motivation and Related Work 

AHO-nets are associated with the higher-order algebraic specification language 
HasCasl [SM02]. HASCASL-Specifications are appropriate since they combine 
the simplicity of algebraic specification with higher-order features; the latter 
being needed for graphs and Petri nets as first-class citizens. The formalism of 
AHO-nets provides a two level modeling technique: Objects are considered as 
higher-order tokens, while the system reflects the organizational structure and 
describes how objects are processed. 

In the area of Petri nets, the modeling of higher-order tokens is a hot topic 
of research. In [Val98,Val00] objects and systems are defined as condition/event 
systems. So, a simple notion of Petri nets as tokens is achieved, such that most 
principles of elementary net theory are respected and extended (e.g. processes as 
formal semantics). However, this approach enforces the use of the same formalism 
for both, the Petri net tokens and the overall net. By contrast, we distinguish be- 
tween the object level and the system level by using different formal frameworks. 
Petri net tokens are encoded in an appropriately defined HAsCASL-specification, 
which is used for the data type part of AHO-Nets. We specify operations for 
changing the structure of Petri net tokens, while the system structure is left 
unchanged. The advantage is a more flexible modeling technique. 

There are approaches that combine object oriented modeling and Petri nets 
(see [ADCROl] for an overview). Their definition of Petri nets comes with a 
definition of object classes using an object oriented language, and tokens are 
instances of these classes. By contrast, we do not incorporate all the features of 
object oriented modeling like inheritance and encapsulation as we concentrate 
on such properties that can be expressed on the level of algebraic specification 
languages. 
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In Higher-Order Nets [Han97] interface places are used to integrate Petri 
net tokens as resources into the model. This approach is not formal but more 
application oriented and leads to an adequate informal modeling technique of 
business processes. While the basic idea is somehow similar to the presented 
approach, our work is more general in the sense that Petri net tokens are not 
restricted to special places. 

Essentially, the idea of AHO-nets is to handle higher-order features in the 
data type part, e.g. higher-order types of graph and Petri net tokens consisting 
of one set and two functions. The main benefit of our approach are specific 
operations to change the structure of graph and Petri net tokens and to simulate 
the local behaviour of Petri net tokens. 

We motivate our approach by some semi-formal examples. In Fig. 1, we 
consider a specification of graphs denoted by the type inscription Graph (see 
Section 3). We use zoom lines to illustrate the general distinction between the 
system level and the object level. The zoom enlarges the higher-order object 
graph that is a token in the respective system model. The box in the lower part 
of Fig. 1 is a closer view to a graph, an element of the graph carrier set in the 
corresponding HAsCASL-model. Obviously, there may be different objects for 
the same system. 



p: Graph transport p’: Graph 




Fig. 1. Graphs as tokens 

To demonstrate the semantics of the AHO-net in Fig. 1 we first assign the 
token graph to the variable g denoted in the arc inscription of the transition 
transport. Then, the follower marking is computed as follows: The token graph 
is consumed from the place p. Subsequently, the token graph is added to the 
place p' . 

In general, the data type part of AHO-nets is not restricted to graphs. Ac- 
cording to other application domains, objects can be specified in quite different 
ways. In Fig. 2, we use the specification of Petri nets (see Section 3) instead that 
of graphs leading to the notion of AHO-nets with Petri nets as tokens. 

Petri nets have their own firing behaviour. Therefore, we can think about the 
autonomous activity of objects, i.e. the follower marking is computed on both 
levels, the system level and the object level, respectively. We assume, that the 
initial marking of the AHO-net in Fig. 2 consists of the Petri net netl. In netl 
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the transition tl is enabled since the current marking of netl contains the token 
start. By the firing of the transition follower marking, on the one hand, the Petri 
net netl is consumed from place pi. On the other hand, the marking of the Petri 
net netl is changed in the sense that the follower marking is computed and the 
resulting Petri net netl' is added to the place p2. 



follower 

pi: System marking p2: System 




Fig. 2. Petri nets as tokens 



3 Specification of Graphs and Petri Nets 

We use HasCasl for the specification of AHO-Nets. HasCasl has been intro- 
duced in [SM02] as a higher-order extension of the first-order algebraic specifica- 
tion language Casl [CAS99]. HasCasl is geared towards specification of func- 
tional programs, in particular in Haskell; in fact, HasCasl has an executable 
subset that corresponds quite closely to a large subset of Haskell. Features of 
HasCasl include partial and total higher-order types, subtypes, polymorphism, 
type constructors, type classes, and general recursive functions. 

We will work with a simplified version of HAsCASL-specifications. A HasCasl- 
specification SPEC = (S,<,F,Ax) consists of a set S of basic types and type 
constructors, a subsort relation < on these, a set F of constants (being typed 
in higher-order types over S, including predicate types), and a set Ax of higher- 
order formulas. 

Specifications of sets, partial maps and multisets can be found in [BH]. We 
here just mention some important operations and predicates. For example, the 
ternary predicate f :: s — > t indicates, for / : S— >1T, s : Set S and t : Set T 
that /, when restricted to s, actually yields results in t. Here, the types S and T 
serve as ’’universes” in which sets s and t live (as subsets). This will be important 
when considering graphs and Petri nets as first-class citizens, i.e. as elements of 
some algebra carrier set (rather than as algebras, as it is often done). 

Based on the specification of sets and partial maps. Fig. 3 specifies directed 
graphs, using a set of nodes and a set of arcs, the latter being implicitly given 
by the domain of the source and target functions. We use the ternary predicate 
f :: s — > t to ensure that the codomain actually is contained in the set of nodes. 
This yields a subtype of all tuples (n, source, target). 
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spec Graph = Set then 
sort N, E 

type Graph = {(n, source, target) : Set N x {E — >■? N) x {E — >■? N) • 
dom source = dom target 
A source:', dom source — > n 
A target:: dom target — > n} 



Fig. 3. Specification of directed graphs in HasCasl 



spec PetriNet = Set and Map then 
sorts P, T 

type Net = {{p, pre, post) : Set P x {T — >•? Set P) x {T — >•? Set P) 

• dom pre = dom post 
A pre : : dom pre — >■ p 
A post :: dom post — >• p} 

spec PetriSystem = Multiset and PETRiNETthen 
type Marking — MultiSet P 
type System = {(n, m) : Net x Marking 
• let {p, pre, post) = n 
in V® : P • X isin m x isin p} 
ops marking : System — >■ Marking-, 
net : System — >■ Net', 

> : System x T — >•? System', 

forall sys, sys 1 , sys2 : System-, n: Net', x; P; m: Marking-, t: T 

• net sys = let (n, m) = sys in n 

• marking sys = let {n, m) = sys in m 

• def sys[t> 

{t isin dom pre A Vx : P • x isin pre{t) => x isin marking{sys)) 

• def sys[t> => sys[t> = (net{sys), 

marking(sys) — setToMultiSet{pre{t)) + setToMultiSet{post{t))) 
as System 



Fig. 4. Specification of petri nets and systems in HasCasl 



Fig. 4 introduces a specification of Petri nets. For simplicity, we assume that 
there are no multi-arcs between transitions and places. Hence, it suffices to use 
two functions pre and post that map each transition into its pre- and post- 
domain of places. Markings are just multisets of places, and a system is a net 
with a marking (such that the marking actually is only using the places of the 
net). The firing operation is defined only if the pre domain of the transition 

to be fired is contained in the current marking, and in this case, it just subtracts 
the pre domain and adds the post domain to the current marking. 

Fig. 5 now specifies workflow systems. These are systems equipped with an 
“start” and an “stop” place. The latter easily allow to paste together two work- 
flow systems by uniting them disjointly while identifying the stop place of the 
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first system with the start place of the second one. We have to be a bit care- 
ful when performing constructions such as disjoint union and identification (i.e. 
quotiening). When disjointly uniting two sets si and S 2 both living in type S, 
with the usual construction, we would end up with a disjoint union living in type 
S X {0, 1}. However, we want to end up in S again. Therefore, we assume that 
type S comes with enough infrastructure to internally represent constructions 
like products, disjoint union and quotiening (e.g. by embedding S x {0, 1} into 
s somehow). This infrastructure is required by the specification SetConstruc- 
TIONS from the appendix. There we also show that it is actually possible to 
provide such infrastructure for the natural numbers — and this should be easily 
done for other domains as well. 

We also provide operations initNet (yielding a net with two places and one 
transition), loop (yielding a net with a single place and a “loop” transition) and 
par. par performs a “parallel composition” of nets, identifying both start and 
stop places. (We omit the easy specifications of initNet and loop.) Indeed, with 
these operations, all finite workflow nets can be generated from scratch. 

4 Petri Nets as Tokens 

In this section we give the formal basis of AHO-nets as introduced in Section 2. 
First, we review the basic concepts of AHO-nets as given in [HofOO] in order to 
define the semantical model. In general, an AHO-net consists of a Petri net with 
inscriptions of an algebraic higher-order specification. 

Definition 1. An AHO-net, 

N = {SPEC, A, P,T,pre, post, cond, type) 



consists of 

— the PAsCASL-specification SPEC = (S,<,F,Ax), 

— a SPEG-algebra A, 

— sets P and T of places and transitions, 

— pre- and post-domain functions 

pre,post : T -A (Tspec(A) O P)® 

assigning to each transition t € T the pre- and post-domains pre{t) and 
post{t), respectively. By Tspec(A) we denote the set of terms with variables 
X over the specification SPEC. The set of all type- consistent arc inscriptions 
2spec(A) Cl P is defined by 

Tspec{N) CP = {{term,p)\term G Tspec {X)type{p),P G P} 
and (rsPEc(A) C P)® is the free commutative monoid over this set. 
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spec WorkflowNet[SetConstructions with S P] 

[SetConstructions with S T] = 

PetriSystem 

and AbstractSetConstructions [SetConstructions with 5 i-a P fit 5 i-a P] 
and AbstractSetConstructions [SetConstructions with T i-a P fit T i-> P] 

then 

type WFNet = {(sys, start, stop) : System x P x P • 
let ((p , pre , post) , m) = sys in 
start isin p 
A stop isIn p 

A -^{start isin range{post)) 

A ^{stop isin range{pre))} 
ops initNet, loop : WFNet-, 

_paste_, _par_ : WFNet x WFNet WFNet 
forall w,wl, w2 : WFNet’, sys : System 

• wl paste w2 = 

let {{{pi , prel , postl ), ml), start 1 , stopl ) = wl 
{{{p2, pre2,post2), m2), start2, stop2) = w2 
r = \x, y • X = y V {x = ini stopl /\ y = inr start2) 

\/{y = ini stopl A x = inr start2) 
p = {pi coproduct p2) factor r 
q = coeq r 

t = {dom prel) coproduct {dom pre2) 

pre t = if def left t then image{q o ini) {prel {left t)) 

else if defright t then image{q o inr) {pre 2 {right t)) 
else undefined 

post t = if def left t then image{q o ini) {postl {left t)) 

else if defright t then image{q o inr) {post 2 {right t)) 
else undefined 

m = map{q o inl)ml + map{q o inr)m2 
in {{{p, pre, post), m), start 1 , stop 2) as WFNet 

• wl par w2 = 

let {{{pi , prel , postl ), ml), start 1 , stopl ) = wl 
{{{p2, pre2,post2), m2), start2, stop2) = w2 
r = \x, y • X = y V {x = ini startl A y = inr start2) 

V{y = ini startl Ax = inr start2) 

\/{x = ini stopl Ay = inr stop 2) 

\/{y = ini stopl Ax = inr stop2) 
p = {pi coproduct p2) factor r 
q = coeq r 

t = {dom prel) coproduct {dom pre2) 

pre t = if def left t then image{q o ini) {prel {left t)) 

else if defright t then image{q o inr) {pre 2 {right t)) 
else undefined 

post t = if def left t then image{q o ini) {postl {left t)) 

else if defright t then image{q o inr) {post 2 {right t)) 
else undefined 

m = map{q o inl)ml + map{q o inr)m2 
in {{{p, pre, post), m), startl , stopl) as WFNet 



Fig. 5. Workflow systems and how to paste them together 
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— the firing condition function 

cond : T Vf^n{EQNS{S,F,X)) 

assigning to each transition t G T a finite set cond{t) of equations over the 

specification SPEC, 

— the type function 

type : P ^ S 

assigning to each place p G P the sort s G S. 

The marking of an AHO-net is denoted by tuples consisting of a data element 
and the place it resides on. The behaviour is given by the firing of transitions, 
i.e. tokens are moved over the set of places. 

Definition 2. Given an AHO-net N as in Definition 1, then a marking m of 
N is an element of the free commutative monoid {A ® P)® where {A® P) = 
{{a,p)\a G Atype(p),p G P}. Consequently 

mG {A® P)® 

Definition 3. Given an AHO-net N as in Definition 1 and a transition t G T. 
V ar{t) denotes the set of variables occurring in pre{t),post{t), and cond{t). An 
assignment asg : Var{t) -G A is called consistent if the equations cond{t) are 
satisfied in A under asg. 

Transitions are enabled under a marking m for an assignment asg inducing 
ASG : (T'spEc(^a?'(^)) x P)® (A®P) with ASG{term,p) = {asg{term) , p) 

if ASG{pre{t)) < m. Here asg is the extension of the assignment asg to an 
evaluation of terms (analogously to the first-order case in [EM85]). The follower 
marking m' then is constructed by 

m' = mQ ASG{pre(t)) © ASG{post{t)) 

The notion of processes is well-known for low level Petri nets (see e.g. [Rei85]). 
It represents a semantical model to study the non-sequential behaviour of Petri 
nets. In [EHP+02] the notion of processes based on occurrence nets is transferred 
to Algebraic High-Level Nets leading to the notion of high-level processes. The 
main difference between AHO-nets and Algebraic High-Level Nets is that we 
use an extension of the first-order approach to higher-order. So, the definition 
of higher-order processes seems to be quite natural. An example is presented in 
Fig. 9 in Section 5. 

In our example we use AHO-nets in the area of hospital therapeutic processes. 
For this reason the data type part is fixed by the HAsCASL-specification of 
workflow nets (see Fig. 5 in Section 3) leading to the notion of AHO-nets with 
worklow nets as tokens. 

AHO-nets with graphs as tokens are more or less analogously defined to 
AHO-nets with workflow nets as tokens. We only have to use the HasCasl- 
speciflcation Graph (see Fig. 1 in Section 3) instead of the HAsCASL-specifi- 
cation WorkflowNets. Furthermore, a GRAPH-algebra A implements graph 
objects and operations appropriate for our application domain. 
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5 Example: Hospital Therapeutic Processes 

In this section we motivate the notions and results of this paper in terms of a 
practical example inspired by the case study proposal on hospital therapeutic 
processes in [Han97]. The case study deals with a part of business processes in 
a hospital, namely patient therapeutic treatments. 

The idea is to model the following situation: The hospital consists of four dif- 
ferent departments, each of which has a set of internal activities. First patients 
are received at the reception office. After a diagnosis is made, the specialist pre- 
scribes medication and certain general treatments, e.g. taking the blood pressure 
and the temperature. Then patient care plans are carried out, if demanded. Al- 
though the case study left quite some room for interpretation, it pinpoints a 
baseline process that concerns the receiving and curing of patients. We intend to 
follow the baseline process. It subsumes the coordination of patient care plans, 
i.e. the execution, extension and modification of patient care plans. Hence, our 
model is specified by AHO-nets with workflow nets as tokens. 

For the modeling of patient care plans, we use more or less the specifica- 
tion of workflow nets (see Fig. 5 in Section 3). In our model, workflow nets 
determine the order in which therapeutic processes have to be performed. We 
consider a WORKFLOwNET-algebra CarePlans, such that the patient care plans 
initPlan,planA and planB depicted in Fig. 6 are elements of the corresponding 
algebra carrier set Care PlanswFNet- 




f A 

planB 

taking medicament 

o-+-^o 

start stop 

V y 



The transition diagnosis in the initial care plan {initPlan in Fig. 6) in- 
dicates, that a diagnosis of patient diseases is required. The care plan planA 
models the parallel measuring of two vital values, the blood pressure and the 
temperature, respectively. The care plan planB represents the taking of some 
prescribed medication. 

Note, that the carrier set Care Planswpf^et consists of more then three el- 
ements. The WORKFLOwNET-algebra Care Plans provides further operations 
pastecare Plans and par Care Plans to implement the sequential and parallel com- 
position of workflow nets. Thus, we achieve further care plans plani, . . . ,plaun S 
Care PlanswFNet during the composition of the patient care plans initNet, 
planA and planB. 

To individualize patient care plans we introduce a notion of IDs. In our ex- 
ample there are three different patients, i.e. {patl,pat2,pat3} € Care Plansjo- 
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The organizational structure of the hospital is reflected in the static system 
net, while the patients and their care plans are the tokens of the AHO-net N 
(see Definition 1 in Section 4): 

N = (WorkflowNet, CarePlans, P, T,pre,post, cond, type) 

— the specification WorkflowNet (see Fig. 5 in Section 3), 

— the WORKFLOwNET-algebra Care Plans (see above), 

— sets P and T of places and transitions with 

P = {patient, patient on ward, care plans, healthy person} 

T = {reception, making care plans, carrying out care plans, discharge} 

such that each transition t G T models one specific department, 

— pre- and post domain functions pre and post assigning to each transition 
t G T a, set of internal activities. The arc inscriptions have to ensure that 
patient care plans are performed in a predefined order. 

— the firing condition function cond assigning to each transition t G T the 
empty set, 

— the type function type assigning to each place p G P the sort of identifica- 
tion and workflow nets. Obviously, we have type{patient on ward) = ID x 
WFNets for patient inside the hospital. Furthermore type(care plans) = 
WFNets indicates that we use some kind of resources for the modification 
of patient care plans. 

Due to space limitation, the system net N is split into two main parts de- 
picted in Fig. 7 and Fig. 8. We assume that the two parts can be combined at 
the common place patient on ward . 

In Fig. 7, two patients pat2 and patS are waiting in the reception area, while 
the patient patl is on ward. Due to the arc inscription of the transition reception, 
a patient is equipped by the initial care plan in the reception office. Thus, first 
of all, patient care plans demand a diagnosis of some specialists. Patient care 
plans need to be carried out. Notice, that workflow nets have their own firing 
behaviour. Thus, the arc inscription n[t) of the transition carrying out care plans 
(see Fig. 7) determines the treatment diagnosis in the patient care plan patl. 
Subsequently, the care plan patl is carried out by some nurse and the current 
status is updated, i.e. the follower marking is computed. 

The fact is that care plans are not fixed once and for all, because they are 
constantly modified according to the treatments effects (e.g. the effectiveness 
of medication). Here, we use the care plan plan A and the care plan planB 
to extend the specific care plan of a patient on ward. Due to the structuring 
technique paste implemented in our specification WorkflowNets (see Fig. 5 
in Section 3), workflow nets can be sequentially composed at a common place. 
Assume that patl have to take medicaments. By firing of the transition making 
care plan, the patient care plan patl and planB are pasted together at a common 
place; the output place of patl and the input place of planB are identified. To 
complete the hospital therapeutic process, the discharge of patients is in some 
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patient OD ward: carrying out 

patient: ID reception ID x WFNet care plan 




Fig. 7. Reception office and carrying out care plans 



patient on ward: 
ID X WFNet 



making 
care plan 



care plan: 
WFNet 




planA 



start 



taking blood pressure 
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O 

stop 



taking temperature 




Fig. 8. Making care plans 



sense the reverse activity of the reception office (see Fig. 7), i.e. patients loose 
their care plans, which is now completed. 

To illustrate the semantics of the hospital system N in more detail one of 
many possible higher-order processes (see Section 4) is depicted in Fig. 9. We 
assume that the patient patl is on ward. First of all the diagnosis is made 
by some specialists. Then, we assume that the medical examination permits the 
treatment by planA. Thus, the actual care plan planl of patient patl is enlarged 
by the planA. Subsequently, the care plan is carried out by some nurse and the 
current status is updated. We use the operation paste a second time to extend 
the patient care plan by the planB. Finally the patient care plan is carried out 
step by step. The patient is discharged at a certain point of time. But this yields 
another process, which is not depicted here. 



6 Conclusion 

First of all, in this paper the notion of AHO-nets with graphs and Petri nets as 
tokens is introduced and then formalized. The main benefit of this paper is to 
provide a suitable specification of workflow nets in HasCasl (see Section 3). We 
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Fig. 9. A higher-order process of the AHO-net N 



have introduced four operations that can be used at the transitions of higher- 
order nets and that suffice to generate all finite (low-level) workflow nets due to 
the operation of parallel composition. In the second part we model a simplified 
version of a hospital system showing the usefulness of our approach in the ap- 
plication area of business processes (see Section 5) . Our model illustrates some 
of the aspects inherited from the expressiveness of HAsCASL-specifications. 
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One of the open research problems with regard to our specifications is to 
develop further structuring techniques to change the structure of workflow nets, 
e.g. operations based on homomorphisms. Thus, we are able to generalize the 
paste operation of workflow nets to the well-known pushout construction of Petri 
nets (see e.g. [GHP99]). 

Another promising topic is the flexible modification of workflow nets, e.g. re- 
moving specific treatments in patient care plans, using the general framework of 
high level replacement systems [EHKP91]. Technically, the operations are based 
on rules and transformations to guarantee the local modification of workflow 
nets. In the resulting formalism of AHO-nets a set of predefined rules is inter- 
preted as a special kind of resources, while transformation represents certain 
internal activities in our model. 

In this paper, patient care plans are considered by workflow nets. Indeed, 
patient documents are more complex in practice. A first-order specification of 
patient documents on a large scale can be found in [Erm96], which can be fully 
integrated into our model. 

In the application area of agent modeling objects are marked by autonomy 
and mobility (see e.g. [HanOO]). Here we can use AHO-nets to model the agent 
platform with places containing agent structures and transitions modeling the 
autonomous behaviour and communication of agent objects. But this is part of 
further research. 
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A Set representations 

If we want to iterate the constructions product, disjoint union and quotients 
on sets, we need to circumvent the problem that the type of the sets changes 
with each construction. This means that we need a specific type S which comes 
with the possibility to represent the result of the above mentioned constructions 
again in S. The specification SetConstructions (Fig. 10) states the abstract 
requirement that such representations exists for a given type S. We also provide 
some sample set representation for the natural numbers. It uses Gantor’s diag- 
onalization for pairs of natural numbers, even and odd numbers as two copies 
of the natural numbers (for coproducts), and chooses the minimal element as 
representative of an equivalence class. 

Given a set representation, we now can define products, coproducts, coequal- 
izers and pushouts, while staying within the same type of sets. Note that __ is 
now overloaded: for two given S'-sets, it delivers either an S' * S-set, as defined in 
the specification Set above, or an S-set, as defined here. We also could specify 
the mediating morphisms that exist by the respective (co)universal properties 
of the constructions. 
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spec Relation = SETthen 
var S : Type 

ops reflexive, symmetric^ transitive : Pred(Set(S x S)) 
forall r: Set{S x S) 

• reflexive r ^'dx : S • r(x, x) 

• symmetric r ^ Vx, y : S • r{x, y) => r{y, x) 

• transitive r Vrc, y,z : S • r{x, y) A r{y, z) r{x, y) 
type PER S = {r: Set{S x S) • symmetric r A transitive r} 
op dom : PER S ^ S 

forall X : 5; r\ PER S 

• X isin dom r ^ (x, x)isln r 

spec SetConstructions = Map and Relation then 
type S', %%arbitrary but fixedl 
ops pair: S' x S' — )• 5; %%products 
inl,inr: S — )• S; %%coproducts 
coeq: PER S -A- Map S; %%quotients 

• injective pair 

• injective ini 

• injective inr 

• {range ini) disjoint {range inr) 
forall r : PER S 

• ker{coeq r) = r 

spec NatSetConstructions = Map and Nat then 
ops pair : Nat x Nat — )• Nat; 
ini, inr : Nat — )• Nat; 
coeq : PER Nat -A- Map Nat; 
min : Pred Nat — )•? Nat 
forall r: PER Nat; m,n: Nat 

• pair{m, n) = ((m + n) x (m n -\- 1) 2 x m)div2 

• ini m = 2 X m 

• inr m = 2 X m 1 

• min p = n ^ {p n A Vm : Nat • m < n => —>p m) 

• coeq r n = min{ m • {m, n)isln r) 

view SETCONSTRUCTIONSioNATSETCONSTRUCTIONS = S Nat 

spec AbstractSetConstructions [SetConstructions] given Map = %def 
ops _coproduct_: Set S x Set S — )• Set S; 

pil,pi2 : S — )•? S; %%product prjections 

left,rigt: S — )-?S; %%partial inverses of the coproduct injections 
factor : PER S — )• Set S; %%quotient : coeq r :: dom r — > factor r 
forall x,y : S; s,sl,s2,t: Set S; f,g,h: Map S; r : PER S 

• pil {pair{x, y)) = x 

• pi2{pair{x, y)) = y 

• si X s2 = image pair{sl x s2) 

• si coproduct s2 = {image ini sl)union{image inr s2) 

• def left X ^ X isIn range ini 

• def right x ^ x isin range inr 

• left{inl x) = X 

• right{inr x) = x 

• factor r = range{coeq r) 

• / :: dom r — > t A ker f C r mediate r f{coeq x) = f x 



Fig. 10. Set representations: a tool for “internal” (co)limits 
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Abstract. We look at a new way of specifying and verifying crypto- 
graphic protocols using the Coalgebraic Class Specification Language. 
Protocols are specified into CCSL (with temporal operators for “free”) 
and translated by the CCSL compiler into theories for the theorem 
prover PVS. Within PVS, the desired security conditions can then be 
(dis)proved. 

In addition, we are interested in using assumptions which are reflected 
in real-life networks. However, as a result, we present only a partial 
solution here. We have not proved full correctness of a protocol under 
such loose restrictions. This prompts discussion of what assumptions 
are acceptable in protocol verification, and when practical concerns may 
outweigh theoretical motivations. 



1 Introduction 

Cryptographic protocols (also called “security protocols” ) give an abstract rep- 
resentation of a method for communicating securely over an open (insecure) 
network in such a way that goals such as secrecy, authentication, integrity or 
a combination of these conditions are satisfied. Verification of such protocols is 
(since [2]) an important subject of research where formal methods are applied. 
Their small size (usually just a few lines) and the difficulties in designing ‘safe’ 
protocols make them very suitable for formal analysis. 

Of course, one must be careful in the formalization. The small expression of 
a protocol typically hides many implicit assumptions about the behavior of the 
principals, freshness, etc. Formalization of a protocol in a logic exposes implicit 
assumptions about the network, the behavior of participants, and so on. 

The difficulty of analyzing security protocols is apparent from the history 
of the so called Needham Schroeder public key authentication protocol from [8]. 
This protocol, first published in 1976 and proved to be secure in 1989 (in [2]), 
contained a flaw which was finally found by Gavin Lowe (in [5]), 17 years after 
its original publication. 

We propose a new way of analyzing cryptographic protocols, using the theory 
of coalgebras and hence “coinductive” reasoning^ at its core. This approach is 

^ We use the term coinductive loosely here. We do not mean the principle that bisimilar 
elements of a final coalgebra are equal. Rather, we mean that our distinguished 
predicates are coalgebraic invariants, which are analogues to inductive predicates 
for algebras. 
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closely related to Paulson’s inductive approach[ll]. The difference between the 
two is conceptual. Paulson’s model is fundamentally algebraic: he models the 
situation by an initial algebra of finite traces, and so relies on induction as his 
fundamental principle. We, instead, use a coalgebraic model (of infinite traces), 
and reason about invariants. 

As a first case study, we analyzed the Bilateral Key Exchange protocol (BKE) 
[3], which we describe in Sect. 2. We built an informal model of the protocol, first 
by constructing an informal model of message passing in a network setting. This 
model includes the presence of a powerful spy, in the Dolev-Yao tradition [4]. 

When modeling the protocol, we took a decidedly liberal approach. We 
avoided certain assumptions present in other protocol verifications, particularly 
those that are not realistic, i.e., do not hold in real networks in which the pro- 
tocol will be implemented. In particular, it is common to require that, if A and 
B are using a specific protocol, then the only messages they send are messages 
required by the protocol itself. Let us call this the protocol message axiom. But, 
in a natural setting, it is likely that, while A communicates with B over the net- 
work, she^ is also holding other conversations with other participants (or even 
with B). So, it does not seem a realistic assumption. 

The protocol message axiom may still be reasonable, if one has an a priori 
argument that it is a harmless assumption. That is, perhaps there is a good 
argument that, if there is a successful attack on the BKE protocol, then there 
is a successful attack during which A and B send only protocol messages. If so, 
then one ought to assume the protocol message axiom, since it simplifies the 
analysis. However, we do not have such an a priori argument. Consequently, we 
chose not to assume the axiom, so that our resulting correctness proofs are that 
much more persuasive. 

The result was not wholly successful. If one drops the protocol message ax- 
iom, then one must carefully choose more reasonable axioms that allow the par- 
ticipants to act flexibly without behaving stupidly. These axioms include that 
the participants do not send messages with their private keys or with received 
secrets and so on. As well, one needs to decide when a received message contains 
a secret, so that the participant does not reveal it. 

However, this is the minor part of the difficulty. We found that the resulting 
correctness proofs become very difficult indeed, because the reasoning involved 
requires subtler partitioning of classes of messages. This partitioning may be in- 
troduced via appropriate fixed point constructions, and adds considerable com- 
plexity to the analysis. As well, the resulting proofs become subtle and difficult, 
and certainly are not amenable to automation. 

In the end, we proved that, if the principals never send messages containing 
protocol secrets (the nonces, keys, etc., relevant to the protocol), aside from 
those required by the protocol, then these secrets will not become public (and, 
in particular, the Spy will never acquire a secret). However, we did not prove 
that this condition is met under reasonable assumptions about the behavior of 



^ It is customary in the literature on cryptographic protocols to refer to A and B as 
Alice and Bob. 
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the participants. In particular, one must show that the Spy can’t compel one of 
the participants to reveal a secret to him (presumably by forgery). We believe 
that, indeed, this conclusion is provable, but found that the difficulty of the 
proofs was such that it became dubious that the proofs were worth the effort^. 
For purely practical concerns, perhaps the protocol message axiom ought to be 
adopted in formal security verifications, contrary to our approach. 

This paper contributes a discussion of two orthogonal issues, then. First, 
we discuss coalgebraic models of security protocols. We advocate the Coalge- 
braic Class Specification Language, CCSL, for specifying protocols, exhibit the 
features of CCSL that make it attractive, and indicate how correctness proofs 
proceed. As a separate issue, we discuss a particular model for Bilateral Key 
Exchange, in which we have avoided the protocol message axiom. We explain 
the philosophical motivation behind this decision, and the large practical con- 
sequences as well. We offer the conflict between the philosophical and practical 
concerns as an open problem to be discussed. 

The remainder of this paper is organized as follows: Sect. 2 gives a concrete 
example of a security protocol. Section 3 gives a informal overview of how we 
model the protocol without going into implementation details. Section 4 briefly 
describes the specification language CCSL [12], and how we implement the in- 
formal model using the specification language. Due to space restrictions, the 
technical discussions in Sects. 3, 4 and elsewhere are unfortunately curt. We 
hope that they are sufficient to convey the motivation and basic implementation 
of our work. Section 5 discusses the protocol message axiom and the effect of 
omitting it from our specification. Section 6 describes the relation between our 
approach and others and Sect. 7 ends with some conclusions. 

2 An Example Protocol 

As an example of a security protocol, we consider the Bilateral Key Exchange 
with Public Key Protocol (see §6.6.6. of [3]). It is a simple protocol for distributing 
a session key between two principals A and B, who are also authenticated to 
each other. The session key can be used for secure communication thereafter. 

We take the protocol as given, and do not criticize or alter it in our presen- 
tation. Thus, any redundant features are left unchanged in our analysis, etc. 

The usual abstract notation from the literature for such a protocol can be 
seen in Fig. 1. 

Informally, the protocol describes the following exchange. 

1. B sends to A a message containing B’s identity, B, and an encrypted sub- 
message including a nonce (i.e., a random number, assumed to be not guess- 
able), Nt, and again the text B. It is encrypted with A’s public key. 

® We think these problems are independent of our coalgebraic basis. They would also 
arise in Paulson’s inductive approach if one omits the consequences of the protocol 
message axiom. 
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1. B ^ A : _B, {Nb, B}pk^ 

2. A B : {Hash{Nh), Na, A, Kab}pkb 

3. B A : {Hash{Na)}K^, 

Fig. 1. Bilateral Key Exchange with Public Key Protocol 



2. When A receives the message, she decrypts it with her private key pk~^. 
She responds by replying with a Hash of B’s nonce Nb, a new nonce Na 
generated by A, the plain text message A and the session key Kab- All are 
encrypted under B’s public key pkb. 

3. B receives and decrypts the message and sends a response to A containing 
a Hash of A’s nonce, Na, encrypted using the session key Kab- 

We will use this protocol as a running example throughout this paper. We 
chose it for three reasons, (i) because it is simple, (ii) it is a hybrid protocol, 
meaning it uses both symmetric and asymmetric encryption, (iii) it has two dif- 
ferent security goals, authentication and secrecy. These three features make the 
protocol (at least in our eyes) a useful example for a new verification approach. 



3 Modeling 

In this section we describe our model informally, giving basic concepts with- 
out technical details. We use the word “model” loosely here. Its meaning will 
stay informal for this section. Also, in this section, the coalgebraic features of 
our model are hidden. These features and a more technical description of our 
implementation in the Coalgebraic Class Specification Language [12, 14] will be 
discussed in Sect. 4. 



3.1 Security Model and Related Assumptions 

We make a number of general assumptions and abstractions to form our Security 
Model. These should reflect the situations in which protocols are used. 

Although the protocols are called cryptographic protocol we will not consider 
attacks on the underlying cryptography. Analysis of cryptographic protocols 
deals with the application of cryptographic primitives, not cryptography itself. 
This so-called Perfect Cryptography assumption treats cryptographic primitives 
as black box processes that work as intended. 

We consider a network with any number of participants and one attacker. 
The attacker is the most powerful one known to us; the spy from the Dolev-Yao 
model [4]. He is an active attacker who can intercept, redirect and alter arbitrary 
messages between principals. However, the spy cannot decrypt or encrypt mes- 
sages with keys he does not know, so he has control over the network, but cannot 
defeat the encryption algorithms. The spy can also send and receive messages as 
a normal participant in the network. 
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Some of the other assumptions we use are not literally true about real-life 
networks and computations, but have practical justifications. In particular we use 
concepts such as “perfect” one way, collision free, hashes and “real” randomness 
of nonces. 

There are a number of restrictions we omit that are common in the literature. 
For instance, we assume neither a fixed number of participants (as in [7]) nor 
a limited number of parallel protocol runs (as in [6,7]). Moreover, we avoid the 
following assumption. 

Protocol Message Axiom: If a participant P distinct from the Spy 

sends a message m, then m is required by the protocol. 

For instance, in [11], the author explicitly includes axioms of the form: 

If evs is a trace containing “B says to S the message A,” then evs may 

be extended by “S says to B' the message A'.” 

Because there is no other allowance that S (distinct from the Spy) sends a 
message^, Paulson is committed to the protocol message axiom. To the best of 
our knowledge, all other approaches assume a similar restriction. 

We chose to avoid this axiom because it is unrealistic. In a network, the 
participants send many different messages, the majority of which bear no re- 
semblance to protocol messages. We wished to be clear on what assumptions 
on the behavior of participants are sufficient to conclude that the protocol will 
reach a correct state. For this end, we chose to adopt only those assumptions 
which are reasonably reflected in actual networks, or have a priori arguments for 
their acceptance. We do not have an argument for the acceptance of the proto- 
col message axiom (although, in the end, practical concerns form a very strong 
argument). 

Indeed, there is a simple argument against the axiom. Suppose that the initial 
message B,{Ni,,B}pk^ in the Bilateral Key Exchange protocol is sent from B 
to A. Suppose as well that, prior to A’s receipt of same, the Spy sends A a 
message, containing {Nh, B}pk^ and a note asking for assistance decrypting the 
message. If A complies with this request, and sends a response back to the Spy, 
then clearly the protocol has gone awry. 

This is not to say that such behavior is reasonable on the part of A, but 
one would like protocol analyses to provide a more or less explicit description of 
what behavior is reasonable, i.e., what behavior ensures successful completion 
of the protocol. 

Unfortunately, this aim is difficult indeed, and our present analysis did not 
wholly succeed in clarifying these issues. One must decide where feasibility su- 
persede the motivations above. 

3.2 Message Passing 

We begin by describing a general setting in which principals pass messages in 
the presence of a powerful Spy (the Dolev-Yao spy described above). For now, 

^ Although, Paulson does allow accidental loss via Oops events, these accidents do not 
really clarify what behavior among principals ensures success. 
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messages can simply be seen as concatenations of identifiers, nonces, hashes and 
keys, all of which can be (multiple-times) encrypted. Example messages can be 
seen in the three steps from Fig. 1. 

The model consists of states and transitions between states, where each state 
is intended as a temporal snapshot of the network. A state is fully characterized 
by the following: 

— its action, that is, what has just occurred. 

~ the mode of the Principals (see below). 

— its next state, i.e., what state follows the current state. 

A state’s action describes the Event that has occurred in that state. There 
are three Event types: (i) nothing happens, i.e., the system is idle; (ii) some 
Principal P sends a message m to another Principal Q; (iii) some Principal P 
receives message m. Note that the Spy is a Principal which can play the role of 
either P or Q. 

A Principal’s mode is fully given by (i) the public/private key pair a principal 
owns, (ii) his knowledge and (iii) the beliefs of the principal. Note that public and 
private keys are unique to each principal and that both knowledge and beliefs 
are state dependent, i.e., change as the system progresses (via next). 

When we refer to an agent’s knowledge, we mean the collection of messages 
with which he is familiar. A belief, for our purpose, is a statement of the form 
“P knows m”. An agent ought to believe “P knows m” just in case he has 
seen evidence that m is indeed in P’s knowledge, but what counts as evidence 
depends on a specific protocol. Note: the objects of knowledge, for our purposes, 
are messages, while the objects of belief are statements. Knowledge does not 
consist of some variation of “true beliefs” . 

Given a state x, the next state (written x.next) is intended as the moment 
after x. Thus, our interpretation of “next” has a temporal flavor, yielding infor- 
mal notions of prior, eventually, etc. It is constrained by the x. action and the 
mode of the principals at present. The constraints include: 

— If X. action = idle, then the mode of each principal is unchanged in x.next. 

— If, in X, P sent a message m to Q then 

1. The Spy learns m (see below). 

2. All other agents do not change their mode. 

— If P receives message m, then 

1. P learns m. 

2. All other agents do not change their mode. 

Notice that a model is a deterministic, but underspecified, transition system. 
Given a particular state x, there is a unique next state, x.next. Hence, the system 
is deterministic. However, even if one knows everything about state x, he will 
not know the action of x.next. Thus, it is underspecified. 

Here we omit certain other constraints on our model. For instance, we require 
that the sender of a message already knows the message, and that sent messages 
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are Eventually received®. Also particular protocols add additional constraints, 
including axioms regarding beliefs. More on this in Sect. 4. 

When a principal P learns a message m (that is when P= Spy and m is 
sent, or when P receives m), then his knowledge increases. Clearly, after learning 
m, then P knows m. But he also knows the sub-messages of m, subject to the 
constraint that he only gains knowledge of an encrypted sub-message if he knows 
the appropriate key. As well, if m contains a key, then P may be able to decrypt 
other messages which he already knew. This complicated effect of learning is 
modeled by appropriate fixed points, about which more later. 

3.3 Protocol 

The general setting described in the previous section provides a foundation for 
the specification of particular protocols. Each protocol description includes also 
the following: 

~ rules governing reactions to certain messages; 

— axioms governing belief updating; 

— correctness conditions for the protocol. 

The first item is complicated by the fact that we rejected the protocol message 
axiom in our model. In the presence of that axiom, one would include rules like: 
If a principal Q receives a message of the form P, {P, Ni}pk^, then he should 
respond with a message to P of the form {Hash{Ni), N2,Q, K}pkj,, where N2 
and K are fresh. Also, this second message is the only message which Q can 
send which contains Ni (as a subterm). 

However, a problem arises in that, Q may learn the nonce A^i without re- 
ceiving the full message P, {P, . For instance, the Spy may intercept P’s 

message to Q and send simply {P, Ni}pk^. If Q does not treat A^i as a secret 
with P, then the protocol will go awry. Therefore, our rule must be more re- 
strictive. We require that, if Q receives a message m from which he can extract 
{P, Ni}pk^, then he will send an appropriate response to P and no other message 
from Q will contain as a subterm. 

As mentioned previously, beliefs are state and protocol dependent. For the 
Bilateral Key Exchange Protocol beliefs are modeled as follows: 

— If, in some state x, protocol message 2 is received {{Hash{N2), N3, Q, K}pkp) 
by P and is consistent, then P believes in state a;. next that Q knows the 
session key K. 

— If, in some state x, protocol message 3 is received ({Has/i(A^4)}x ) by Q and 
is consistent, then the recipient of the message believes in state x.next that 
his correspondent knows the session key K. 

We include these axioms so we may prove that, at the end of the protocol, both 
participants believe correctly that each knows the session key and hence they 
may communicate. 

But, in the meantime, the Spy can do whatever he likes. 



5 
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3.4 Correctness Conditions 

Correctness conditions depend on the goals of a protocol. Looking again at the 
Bilateral Key Exchange protocol we are interested in two security concepts. First, 
we want to be certain that only the principals running the protocol learn the 
session key and no one else does, i.e., that the protocol ensures secrecy of the 
session key. The other interesting property is authentication^ in this case mutual 
authentication. This means that both principals become certain of the identity 
of their correspondent. 

In the end we want to prove something like the following: Given that the 
principals behave in a responsible manner and given the general security model, 
when an agent B starts the Bilateral Key Exchange protocol with another agent 
A, both agent A and agent B will eventually know the session key and both 
principal A and B will believe that each other knows the session key. This 
session key should be a shared secret between A and B. Explicitly, our notion 
of correctness requires the successful (but not timely!) completion of a protocol 
run. 

Again, we stress that, at present, we have not proved such a strong condition 
given our weak axioms. We have shown that, if the participants never send any 
message containing the nonces Af, or keys pk~^, and Kab, aside from 

those messages required by the protocol, then Kab will never become known to 
the Spy. This is an important step toward correctness, but there is much real 
work to finish the proof. This work involves subtle least fixed point constructions 
for classes of messages, among other considerations (see Sect. 4.3 for examples). 

In the next section we will describe how we implemented this model in CCSL. 



4 Implementation 

The Coalgebraic Class Specification Language [12, 14] provides a logical frame- 
work for writing specifications involving both algebras and coalgebras. Users 
can freely nest algebraic and coalgebraic specifications. This allows one to use 
algebraic models for inductively generated data types, e.g., the static structure 
in our implementation, and coalgebras for behavioral types, e.g., the dynamic 
structure of the implementation. Indeed, we call our approach “coinductive” to 
reflect our reliance on coalgebraic reasoning. 

Let us return to the message passing structure from Sect. 3.2. We want to 
explicitly show how this description involves a coalgebraic structure. An imple- 
mentation for the message passing context consists of a set X together with 
three functions: 



action : X Events 

mode : X x Principal PrincMode 

next : X ^ X 
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This is equivalent to a set X and a single function with type 
X — > Events x (PrincMode)f'™^'P^' x X 

Hence we can view a model as a coalgebra, specifically a coalgebra for the functor 
X Events x (PrincMode)^'''"'^'^^' x X. 

More generally, one can view object oriented classes as coalgebras for a suit- 
able functor. This is the key motivation behind CCSL, where a class specification 
is modeled by a coalgebra. CCSL provides the formal language for describing 
a class specification, and a compiler for translating specifications into logical 
theories. 

One writes a formal specification in the language CCSL and compiles it into 
a theory for PVS [13,9] (or Isabelle [10]). This translation includes generating 
basic definitions, axioms and lemmas from the informal theory of coalgebras. For 
instance, CCSL creates the definitions for invariant predicate, homomorphism, 
etc., the proof principle of coinduction (in the case that our model is canonical), 
basic temporal operators for Eventually and Always as well as axioms (S4) and 
lemmas for these operators, and so on. 

Our motivation for using CCSL, then, was threefold. First, a coalgebraic 
model seemed natural for security protocols. The dynamic features of a mes- 
sage passing system are easily translated to a coalgebraic structure. Second, the 
CCSL language is a well-developed formal setting for specifying coalgebraic mod- 
els, and includes temporal operators useful for expressing correctness of security 
protocols. As well, CCSL supports mixing algebraic and coalgebraic specifica- 
tions, which is particularly useful here. Third, the compiler creates PVS theories 
(in our use), so that we can exploit the speed and power of PVS in order to 
prove our theorems. This means that we can use a formal language built just 
for coalgebraic specifications to model the protocol, and use an existing theorem 
prover to prove our theorems. Also, the theory generated by CCSL goes well be- 
yond what we include in the specification, since it includes the temporal axioms 
and coalgebraic features “for free” . 

The fact that, in the end, we offer only a partial proof of the correctness of 
the protocol does not reflect on the appropriateness of CCSL and a coalgebraic 
approach generally. We still firmly believe that a coalgebraic model is perfectly 
appropriate and natural for a dynamic system, and that in particular CCSL 
offers a good setting for specifications. However, we must question whether our 
aim of avoiding the protocol message axiom is a practical decision. We are confi- 
dent that the correctness proofs can be completed even without this axiom, but 
the resulting arguments are very long and difficult and the extra payoff largely 
theoretical at present. 

4.1 Specification 

In implementing the model we use two key features of CCSL, (i) modularization 
and (ii) inheritance. 

By modularization, we mean that distinct features of our specification are 
treated separately. For instance, the features of a principal’s mode (knowledge. 
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beliefs, public/private key pair) can be largely separated from the message pass- 
ing specification, although the latter depends on the former. More explicitly, 
we have a class specification, PrincMode, for the principal’s mode, and another 
specification, MsgContext, for the message passing system. The effects of learn- 
ing are segregated in the former, and changes there influence the latter only 
indirectly (via the mode : X x Principal — > PrincMode method). This simplifies 
the creation of the specification, and allows one to change his implementation 
of knowledge-updating without explicitly changing the MsgContext specification 
(although, existing proofs will often need to be revisited). 

The language CCSL includes an inheritance relation, so that one specifica- 
tion may inherit from another. This feature allows one to treat message passing 
generally, and inherit from this treatment for each individual protocol specifi- 
cation. In our work, we restrict our use of inheritance so that it preserves the 
models, in the sense that, given a particular protocol Prot, we have 

Model) Prot) C Model) MsgContext). 

In other words, all of the restrictions (i.e., axioms) that we have placed on the 
general setting apply to the particular setting of a given protocol. Thus, theorems 
proved about the general setting are inherited by the particular protocols as well, 
minimizing the amount of repeat effort. 

Figure 2 shows the dependencies of the different classes, where double ar- 
rows ( ) show the inheritance relations. The broken arrow ( ^ ) shows 

that MsgContext depends on PrincMode. This dependency is an application of 
modularization in our specification. 




Fig. 2. Theory dependencies 



4.2 Temporal Operators in CCSL 

As mentioned previously, the language CCSL includes the temporal Always (□) 
and Eventually (O) operators. In this section we will explain how these are 
defined. 

Recall that the CCSL compiler defines an appropriate notion of class invari- 
ant for each class specification. The “always” operator is defined in terms of 
invariants. Specifically, OP is the largest invariant which implies P, i.e., 

OP = \{x : Self) : 3{Q : Self ^ bool)(Q(a;) A invariant(Q) A Q P). 

In our specification, the only method with non-constant codomain is next, which 
has type Self ^ Self. This method has a natural temporal meaning, and this 
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imposes a purely temporal interpretation on □. Indeed, we see that nP(a;) holds 
iff P holds at x and every state thereafter, so □ really is the Always (or “hence- 
forth”) temporal operator. 

As usual, O is defined as Therefore, OP{x) holds iff there is some state 
“in the future” of x in which P holds, i.e.. Eventually P. 

The compiler provides, in addition to the definitions for □ and O, a number 
of lemmas about their behavior. In particular, the compiler proves that the 
operators satisfy S4. 

4.3 Messages and Learning 

Messages are formally modeled by an Abstract Data Type. Explicitly, our model 
of messages is the least set S such that: 

— For all P G Principal, N G Nonce, and K G Key, the syntactical objects 
princ(P), nonce(fV) and key (AT) are in S'; 

— If m G S then hash(m) is also in S; 

— If mi G S and m2 G S then msgpair(mi, m2) is also in S; 

— If m G S and K G Key then symenc(Ar, m) and asymenc(A', m) are also in S 
(representing symmetric and asymmetric encryption, resp.). 

In other terms, our model of messages is an initial algebra, and in particular 
comes with a principle of induction. 

We define two closure operators® on P (Message), the power set of Message. 
The first, J,, (read: downward closure) is intended to capture extractability. That 
is, given S C Message, a message m is in (.(S') just in case one can extract m 
from the messages in S (in particular, using only keys found in S). Explicitly, 
1 {S) is the least set satisfying 

— sens); 

— if msgpair(mi, m2) G i(<S'), then so are mi and m2; 

— if symenc(Ar, m) and key(AT) are in (.(S'), then so is m; 

— if asymenc(A', m) and key(AT“^) are in J.(S), then so is m; 

The upward closure, t, of a set S of Message is also given by a least fixed 
point condition. It consists of all of the messages that can be constructed from 
messages in S. We omit an explicit definition here, since it is analogous to J,. 

These two operators are used to axiomatize the effect of learning a message. 
Suppose that, in state x, an agent P knows exactly the set of messages S, and 
that he receives (or, if P = Spy, snoops) message m. Then, in state x.next, the 
agent should know 

t i(S'U {m}). 

(Note: given a set S', i t i(S) C | J.(S), and so t i is idempotent.) 

The fixed point constructions here are not sufficient to prove correctness 
of a protocol in the absence of the protocol message axiom. For that, subtler 
constructions are required, which we omit here for concern of space. 



The closure J, corresponds to Paulson’s analz operator in [11], while f corresponds 

to synth. 
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4.4 MsgContext 

We can not show the complete specification of our model in this paper. Thus, 
in this section we will give a CCSL specifications of the constructs explained in 
Sect. 3.2. 

Recall that we restrict the next operator according to the event and the mode 
of the principals at the current state. In the general MsgContext class we have 
defined an axiom action that does just this. 

Ccsl 

V (P : Principal), V(Q : Principal), V(x : Self),V(m : Message) : 
action: 

CASES X. action OF 
idle : 

V (i? : Principal) : 

cc.next.princmode(i?) = x.princmode(P) 
sent(P, Q, m) : 

V (i? : Principal) : 

= Spy) -> 

x.next.princmode(i?) = x.princmode(i?) A 
x.next.princmode(Sp?/) = x.princmode(S'py).learns(TO) A 
x.princmode.knows(m) A 
(0(A(z : Self) : 
received By?( 0 . action) A 
received By _rcp(z. action) = Q A 
received By _msg(z. action) = m) 

FOR{next}(x.next)) 
received By (P, to) : 

V (P : Principal) : 

^{R = P)^ 

x.next.princmode(P) = x.princmode(P) A 
x.next.princmode(P) = x.princmode(P).learns(TO.) A 
(V(z : Self) : 0(A(xl : Self) : = x) FOR {next}( 2 ;) — > 

(0(A(zl : Self) : 
sent?(zl. action) A 
sent_rcp(zl. action) = P A 
sent_msg( 2 ;l. action) = to A 
0(A(xl : Self) ■. xl = x) FOR {next}(zl) A 
0(A(z2 : Self) : z2 = x) FOR {next}(c:l) FOR 
{next}(z) V 

3(zl : Self) : (0(A(xl : Self) : xl = z) FOR {next}(zl)A 
sent?(zl. action) A 
sent_rcp( 2 :l. action) = P A 
sent_msg(zl. action) = to A 
0(A(xl : Self) : xl = x) FOR {next}(zl)))) 
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Notice that the general structure explained in Sect. 3.2 can be seen: the three 
types of Events are clearly distinct. There are also some additional temporal 
constraints. I.e., if a message is received in state x.next, then for all states z 
prior to a;. next, there is a state zl either prior to z or after z (but prior to 
x.next) such that message m was sent in state zl. 

As well, we assume that when a message m is sent, it Eventually (O) will be 
received. At first glance, this seems to place a restriction on the ability of the 
Spy, since he cannot prevent a message from arriving. However, there is no time 
constraint on when the message will arrive, and so the Spy has as much time as 
necessary to interrupt the protocol. Thus, we do not feel that this assumption 
weakens the Spy. 

4.5 PVS Theories and Proofs 

There is a compiler for the CCSL language which can be used to translate the 
CCSL class specifications into theories for the PVS theorem prover [13,9]. In 
PVS then, we can prove a number of lemmas and of course the correctness 
conditions for different protocols we are interested in. 

A theorem proving environment like PVS has advantages over informal math- 
ematical arguments. In particular, PVS acts as a proof checker as the proof is 
being built, so that one is more confident of the final result. As well, with user- 
defined strategies tailor-made for the problems at hand, the theorem prover can 
take over much of the tedious work. Of course, such an environment comes with 
the usual difficulties of any formal system. Namely, proofs can become very long 
and tedious and the resulting proof may not be illuminating to a reader. In 
the case of protocol verification, however, one is interested in a proof only for 
establishing the theorem at hand, and not for its explanatory power. 

5 A Word about Generality 

There are two main features of our work which distinguish it from other ap- 
proaches. First, as we have made clear, we take a coalgebraic approach to mod- 
eling message passing in general, and security protocols in particular. Second, 
we have followed the principle that an assumption about our model should be 
justified by an argument about its reasonableness or necessity. This principle is 
evident in the liberal assumptions regarding what messages may be sent. 

These features are orthogonal, in the sense that (i) a coalgebraic model may 
certainly impose stronger assumptions than we do and (ii) other methods of 
verification may, in principle, weaken their assumptions as well. We anticipate 
that other methods will encounter similar complications if they choose to drop 
the protocol message axiom, however. It appears that this assumption comes 
with a real practical payoff, although it is unclear that the resulting proofs show 
the correctness of a protocol in a real-life setting. Again, one must decide at 
what point the practical concerns ought to trump the theoretical motivations. 

In the end, we have proved an important part of the correctness of the Bi- 
lateral Key Exchange protocol. Namely, we have shown that, if A and B do 
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not send messages containing Na, Ni, or Kab, aside from the required protocol 
messages, then these secrets will never be known to the Spy. Note that, with the 
protocol message axiom, one needs merely to show that once the initial message 
is sent, then eventually the second and third messages will be accepted by their 
recipients to conclude that the protocol is correct. Even without the protocol 
message axiom, the direction for the remainder of the proof is clear, but it is not 
easy. When one allows a large body of legal messages, then it becomes difficult 
to express the relationship between the secrets and the body of messages as a 
whole. As well, when one allows liberal behavior on the part of the two corre- 
spondents, then restrictions that ensure the correct completion of the protocol 
become subtle. These proofs can be completed, but not without some sweat. 

6 Related Work 

There are a lot of different approaches described in the literature which deal 
with the verification of security protocols (see e.g. [1,2,6,7,11,15].) Generally 
speaking one can say that there are two kind of approaches. The ones that work 
(semi) automatic, these usually concentrate on some aspects of security while 
ignoring others, and in particular have some limitations such as the number of 
parallel sessions or the number of principals or protocol steps involved. 

Then there are the more “total” approaches (most notably [11], see Sect. 6.1) 
which require a lot of user interaction but mostly do not have restrictions as the 
ones mentioned above. Clearly, our work must be placed in this latter setting. 
We want to stress that both kind of approaches are useful and are in many ways 
each other’s complement. 

6.1 Paulson’s Inductive Approach 

In his influential paper “ The Inductive Approach to verifying Cryptographic Pro- 
tocols" [11], Larry Paulson describes an approach for analyzing security protocols 
using the theorem prover Isabelle [10]. Although our approach is similar to his, 
there are some notable conceptual differences (aside from the practical differ- 
ences in the specifications, including his assumption of the protocol message 
axiom) . 

Paulson’s models are inherently algebraic, rather than coalgebraic. He con- 
siders the set of finite traces for a protocol. This set can be given by a least fixed 
point construction, i.e., by an initial algebra. 

His basic proof principle is induction over traces of events {evs). To prove P 



always holds, he shows that 






(1) 


holds, and if 




P{evs) P{evff evs). 


(2) 



i.e., P holds for the empty trace of events [] and if P holds for some trace evs, 
P has to hold for all traces evff evs containing one event ev more. 

This is analogous to showing that P is an invariant, in the coalgebraic sense. 
The main theoretical difference is that we consider finite and infinite traces as 
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models, while Paulson considers finite traces. Moreover, since Paulson relies on 
the inductive proof principle, he is restricted to canonical algebras as models. 
Because we do not assume finality of our coalgebraic model, we have a more 
general approach. In particular, Paulson’s inductive models can be viewed as 
models in our coalgebraic setting (since initial algebras are also coalgebras), at 
least given an appropriate specification. 

7 Conclusion 

Our protocol verification departs from other approaches in two distinct features: 
its explicitly coalgebraic (and temporal) foundation, and the weakness of our 
axiomatization of the protocol. The former feature is an illustration of an ap- 
plication of abstract mathematics to verifications, making use of coinductively 
specified structures. The latter feature was motivated by a desire to strengthen 
the persuasiveness of the correctness proofs, by avoiding restrictions that did not 
hold in real networks. In particular, we avoided the so-called protocol message 
axiom. 

We have argued that coalgebras are particularly useful for modeling dynamic 
systems. We think that the separate specification language (allowing also mod- 
ularization and inheritance) as well as the higher abstraction in the proofs are 
other attractive features of our approach. 

It would be useful to compare coinductive versus inductive reasoning on even 
terms, which we have not done here. One should adapt Paulson’s axiomatization 
to a coalgebraic setting (or vice versa). With such a study, one could see the 
advantages and disadvantages of coalgebraic/algebraic conceptual frameworks 
in cryptographic protocol analysis. 

We ran into considerable difficulties in proving the correctness of our sample 
protocol without the protocol message axiom. We have shown that, if the par- 
ticipants A and B transmit messages as called for by the protocol, then the Spy 
never learns the session key (or any of the nonces or private keys) . We have not 
proved that the Spy can’t compel A or B to send a message to him, revealing the 
session key or nonces. We also have not shown that beliefs which are acquired 
during the protocol run are true. 

These partial successes emphasize the importance of the protocol message ax- 
iom, which has not been previously considered. While we have, we believe, strong 
theoretical motivations for omitting the protocol message axiom, we found per- 
haps stronger practical reasons to accept it. This negative result prompts ques- 
tions about protocol correctness proofs. At what point ought practical concerns 
allow one to accept assumptions which are demonstrably false in natural settings, 
and which are not apparently “harmless” ? We do not find an obvious answer to 
this fundamentally philosophical question. 

Acknowledgments 

We want to thank Bart Jacobs for suggesting the research topic and helping us 
on our way using CCSL, and Hendrik Tews for explaining CCSL constructs and 
repeatedly modifying the CCSL compiler to satisfy our whims. 




The Coinductive Approach to Verifying Cryptographic Protocols 283 



References 

1. M. Abadi and A. D. Gordon. A calculus for cryptographic protocols: The spi 
calculus. In Proceedings of the Fourth ACM Conference on Computer and Com- 
munications Security, pages 36-47. ACM Press, April 1997. 

2. M. Burrows, M. Abadi, and R. Needham. A logic of authentication. Proc. Royal 
Soc., Series A, Volume 426:233-271, 1989. 

3. J. Clark and J. Jacob. A Survey of Authentication Protocol Literature, version 
1.0, 1997. available at URL http://www-users.cs.york.ac.uk/~jac/papers/ 
drareview . ps . gz. 

4. D. Dolev and A. Yao. On the security of public key protocols. IEEE Transactions 
on Information Theory, 29(6), 1983. 

5. Gavin Lowe. An attack on the Needham-Schroeder public-key authentication pro- 
tocol. Information Processing Letters, 56:131-133, 1995. 

6. Gavin Lowe. Gasper: A compiler for the analysis of security protocols. In PCSFW: 
Proceedings of The 10th Computer Security Foundations Workshop. IEEE Gom- 
puter Society Press, 1997. 

7. J. Millen and V. Shmatikov. Gonstraint solving for bounded-process cryptographic 
protocol analysis. In 8th ACM Conference on Computer and Communication Se- 
curity, pages 166-175. AGM SIGSAC, November 2001. 

8. R.M. Needham and M.D. Schroeder. Using encryption for authentication in large 
networks of computers. Communications of the ACM, 21(12):993-999, 1978. 

9. S. Owre, J.M. Rushby, N. Shankar, and F. von Henke. Formal verification for 
fault-tolerant architectures: Prolegomena to the design of PVS. IEEE Trans, on 
Softw. Eng., 21(2):107-125, 1995. 

10. L.G. Paulson. Isabelle: A Generic Theorem Proven Number 828 in Lect. Notes 
Comp. Sci. Springer, Berlin, 1994. 

11. L.C. Paulson. The inductive approach to verifying cryptographic protocols. Joum. 
of Computer Security, 6:85-128, 1998. 

12. J. Rothe, H. Tews, and B. Jacobs. The coalgebraic class specification language 
CCSL. Journal of Universal Comp. Sci., 7(2), 2001. 

13. N. Shanker, S. Owre, J.M. Rushby, and D. Stringer-Calvert. PVS proven guide, 
1999. Version 2.3. 

14. Hendrik Tews. Coalgebraic Methods for Object Oriented Specification. PhD thesis, 
Technical University of Dresden, October 2002. 

15. F. J. Thayer, J. C. Herzog, and J. D. Guttman. Strand spaces: Proving security 
protocols correct. Journal of Computer Security, 7(1), 1999. 




Behavioural Equivalence and Indistinguishability 
in Higher-Order Typed Languages 



Shin-ya Katsumata 

Division of Informatics, University of Edinburgh, King’s Buildings, 
Edinburgh EH9 3JZ, Scotland 



Abstract. We extend the study of the relationship between behavioural equiva- 
lence and the indistinguishability relation[4, 7] to the simply typed lambda calcu- 
lus, where higher-order types are available. The relationship between these two 
notions is established in terms of factorisability[4]. The main technical tool of 
this study is pre-logical relations[8], which give a precise characterisation of 
behavioural equivalence. We then consider a higher-order logic to reason about 
models of the simply typed lambda calculus, and relate the resulting standard 
satisfaction relation to behavioural satisfaction. 



1 Introduction 

This work is a contribution to the understanding of the relationship between behavioural 
equivalence and the indistinguishability relation. These notions arose from the study 
of data abstraction in the context of algebraic specihcations. Behavioural equivalence 
identihes models which show the same behaviour for any program yielding an observ- 
able value. This formalises an intuitive equivalence between two programming environ- 
ments that show the same behaviour to programmers, regardless of differences in the 
representation of non-observable data types. The indistinguishability relation is a par- 
tial equivalence relation which identifies values in a model that are interchangeable with 
each other in any program context. This provides an abstract view of the programming 
environment based on behaviour, rather than denotation. 

These two notions are useful when reasoning about specifications, and their rela- 
tionship has been studied in a series of papers beginning with [4] by Bidoit, Hennicker 
and Wirsing. They established the key idea of factorisability to relate behavioural equiv- 
alence and the indistinguishability relation. Their framework is infinitary hrst-order 
logic over S algebras. Hofmann and Sannella[7] extended the logic over S algebras 
to higher-order logic, which enables us to quantify over predicates and axiomatise the 
indistinguishability relation when the underlying signature is hnite. 

We further extend the target of reasoning to a language having higher-order types 
and functions. Higher-order functions enable us to write program-parameterised pro- 
grams, and are useful in program development. Thus we are interested in reasoning 
about specifications in such languages. 

In this paper, we take the simply typed lambda calculus as the formalisation of 
higher-order typed languages, and give the semantics of the lambda calculus by typed 
combinatory algebras, which subsume a wide range of semantic frameworks including 
Henkin models, type frames and full-type hierarchies. 

M. Wirsing, D. Pattinson, and R. Hennicker (Eds.): WADT 2002, LNCS 2755, pp. 284-298, 2003. 
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Once we introduce higher-order types, we need to consider how to extend be- 
havioural equivalence and the indistinguishability relation to higher-order types. In the 
study of the simply typed lambda calculus, there is a well-known extension method us- 
ing exponential relations (the following shows the case of binary relations between two 
combinatory algebras A and B; we can extend this to n-ary relations): 

i?— ' = i?- ^ i?-' = {(Ig) e X I V(x,y) e i?" . (fx,gy) G 

and the resulting relation is called a logical relation if it relates the interpretations in A 
and B of each constant. However, in this study, logical relations are not adequate for a 
couple of reasons: 

1. Reachability at first-order types cannot be extended to higher-order types using the 

exponential relation. We see this by an example; let us consider the simply typed 
lambda calculus with zero and successor, namely and We give the 

semantics of the lambda calculus by the full-type hierarchy. A full-type hierarchy 
constructed from = N. We write S'^ for the set of reachable elements at 

type T. We can reach any n G N by the term s"(z), thus S'”®* = However 

the unary logical relation R constructed from = S"“* does not give reach- 
ability correctly at higher-order types, since = j^nat^nat cjearly 

^nat — >nat ^ j^at — >nat 

2. Logical relations are not suitable to characterise behavioural equivalence. A re- 
stricted notion of behavioural equivalence, called closed observational equivalence, 
was studied in [10]. Mitchell showed representation independence theorem', if there 
exists a binary logical relation between two models such that the relation is bijective 
on the observable types, then these two models are closed observationally equiv- 
alent. He showed that the converse is also true when the underlying signature has 
only first-order constants. However this is not satisfactory for two reasons; one is 
the above restriction to first-order constants, and the other is that in general log- 
ical relations do not compose, despite the fact that behavioural equivalence is a 
transitive relation. 

To solve these problems, we use pre-logical relations[^] by Honsell and Sannella 
instead of logical relations. They are a generalisation of logical relation, and have sev- 
eral characterisations; a relation is pre-logical iff it satisfies the basic lemma (theorem 
1 below), and a pre-logical relation can be seen as a correspondence in the sense of 
Schoett[12] between two combinatory algebras. Roughly, a pre-logical relation is a re- 
lation satisfying C i?” ^ i?” . Thus pre-logical relations allow flexibility at 

higher-order types while logical relations are determined uniquely at all types from the 
relations at base types. Of course logical relations are included in pre-logical relations, 
but also the reachability predicate and other relations are included in this class. Another 
advantage of pre-logical relations is that they are closed under composition, which is a 
desirable property for characterising behavioural equivalence. 

This paper is organised as follows: section 2 introduces basic definitions of the sim- 
ply typed lambda calculus, pre-logical relations and partial equivalence relations(PERs). 
Section 3 establishes a relation between behavioural equivalence and existence of pre- 
logical relations. We also introduce another model equivalence and show that it is equiv- 
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alent to behavioural equivalence. In section 4 we study properties of the indistinguisha- 
bility relation, which turns to be a pre-logical PER over the underlying model. In section 
5 we show that behavioural equivalence is factorisable by indistinguishability. We move 
to higher-order logic and its semantics in section 6. We introduce two semantics; one 
is the standard model and the other is the relative model w.r.t. some PER. We show 
that the quotient model of higher-order logic by a PER and the behavioural model w.r.t. 
the PER are logically equivalent. We prove this by showing that they are behaviourally 
equivalent w.r.t. boolean observations. In section 7 we apply these results to reasoning 
about specifications. 



2 Preliminaries 

2.1 Syntax of the Simply Typed Lambda Calculus 

Dehnition 1 (Higher-Order Signature). Let U be a set. We define the set of types 
Typ(C/) by BNF t ::= b \ t ^ t where b G U. A higher-order signature (or simply 
signature) is a pair of sets (U, C) where U gives the set of base types and (7 C Co x 
Typ((7) gives the set of typed constants for some universe Cq of constant symbols. We 
write c'^ for the pair (c, r) € C. We fix a higher-order signature S = (U, C). We often 
write Typ(S) for Typ(C). 

We assume that readers are familiar with the simply typed lambda calculus. The cal- 
culus considered in this paper is the minimal fragment; it has only ^ types. The 
lambda terms are built on a countably infinite set of variables X. We define a con- 
text by a partial function F : X Typ(27). Two contexts F and A are separated 
if dom(C) n dom(Z\) = 0. Eor T C Typ(H’), we say C is a T-context if for all 
X G dom(C), F(x) G T . We say F \- M : t is a well-formed term if F \- M : t is 
derived only from the inference rules of the simply typed lambda calculus. 



2.2 Semantics of the Simply Typed Lambda Calculus 

In this study, we take typed combinatory algebras as the basis for the semantics of 
the simply typed lambda calculus. The reason is twofold: one is that they are general 
enough to subsume other classes of models, such as Henkin models and type frames, 
and the other is that combinatory algebras and the notion of pre-logical relation, intro- 
duced later, are compatible. Indeed the class of combinatory algebras is closed under 
quotient by pre-logical PERs(proposition 2). 

We write Csk for the extension of a set of constants C with S', K combinators: 

CsK = CU I G Typ(27)} 

\t,t' GWyp(S)}. 

Definition 2 (Typed Combinatory Algebra). A 27-typed combinatory algebra ( or sim- 
ply combinatory algebra) is a tuple A = (A, (— ), 4 ) such that: 
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1. A is a Typ^S) -indexed family of sets (called carrier setsj. 

2. The application operator is a family of functions having type ^ A'^ ^ 

A~^ foranyT.r' G Typ(27). 

3. c\ G A'^ for each G Csk- 

4. The combinators satisfy equations K uxuy = x and S*p*q*r = p*r*(q*r) for 
any x, y,p, q, r in appropriate carrier sets (superscripts and subscripts are omitted 
for readability). 

We write ua a left-associative infix operator. We may omit superscripts and sub- 
scripts if they are obvious from the context. Script letters (A, B, ■ ■ ■) are used to denote 
combinatory algebras while the carrier sets of these algebras are referred by normal 
letters (A, B,- ■ •)■ We write CA(S) for the collection of S -combinatory algebras. 

Definition 3 (Henkin Model/Type Frame/Full Type Hierarchy). A combinatory al- 
gebra A is called: 

- a 27-Henkin model /fextensionality holds: V/, g G . (fix & . f »ax = 

g»Ax) ^ f = g. 

- a 27-type frame if C A'^ ^ and f • ax = f(x). 

- a 27-full type hierarchy if = A'^ ^ A^ and f »ax = fix). We note that a 

full-type hierarchy is uniquely determined by the carrier sets for base types. 

Example 1. The following is a higher-order signature Sset = {Uset, Cset) for the finite 
sets of natural numbers. 

Uset = {bool, nat, set} 

C fii-bool rrbool ^^±.bool — >bool r\nat — >nat ^^nat — >nat — >bool 

set = jit , tf , not ,0 , succ , eq , 

0 sef ^nat^set ^ ^set — — >set f — ^bool) — >-set — >-set 

The constant filter takes a predicate p and a set s and yields the set which consists of the 
elements in s satisfying the predicate p. The constant isempty judges whether a given 
set is empty or not. 

We introduce two full-type hierarchies Aset and Bset over Sget- In Aset, base types 
are interpreted as A^°f = {tt,jf},A^f^ = N, 2 l|g( = 7^(N). We interpret filter and 
isempty in Aset as follows: 

filter^,^, f X = {xG X \ f(x) = tt] 
isempty X = tt X = % 

The interpretation of the other constants is naturally dehned. 

In Bset, base types are interpreted as B{.°f = {tt,ff}, Bff* = N, B^^} = N — > 
Bgf^K In this interpretation, a set 2f C N is represented by its characteristic function 
4>x '■ N ^ B{.°f. We interpret filter and isempty in Bset as follows: 

p f)x= tt p(x) = ft A f(x) = ft 

isempty / = ft Va; G N . f(x) = ff 

The interpretation of the other constants is naturally dehned. 
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An environment (ranged over by 77, p) over a combinatory algebra ^ is a partial 
function X UTeTyp(i:) write 77 G for an environment rj such that 

dom(77) = dom(I^) and r]{x) G for all x G dom(77). 

Given a combinatory algebra A, we can interpret well-formed lambda terms in A 
by the meaning function ^|— ]— , which maps a well-formed term F \- M : t and an 
environment 77 G A^ to a value in A’’. The meaning function is defined by induction 
on the derivation of well-formed lambda terms, and uses a trick of compiling lambda 
abstraction using S and A" in a combinatory algebra when interpreting Ax’" . M. For 
details, see [2, 11]. 

Proposition 1 . (Semantic Substitution Lemma) Let F and A be separated contexts, 
F,x : T \- M : t' and A \~ N : t be well-formed terms, p G A^ and 77 G A^. Then 
A|M]p{a; 1— > A|A^]t 7} = A|M[A^/x]]p U 77. 

Definition 4 ( 17 -homomorphism). A A 7 -homomorphism is a Typ{S) -indexed family 
of functions {h'^ : A'^ ^^}reTyp(i:) that for all c'^ G Csk, = Cg 

and for all r, r' G Typ(A 7 ), a; G and y G A'^, h'^ {x y) = (x) »b 

h'^{y), A 17 -isomorphism is a E -homomorphism h such that h'^ is bijective on each 
T G Typ( 17 ). We write A = B if there exists a E -isomorphism between A and B. 

2.3 Pre-logical Relations 

First, some definitions. A relation between A and B (written i? C A x .8) is a Typ( 17 )- 
indexed family of sets R satisfying R^ C A'^ x B'^ for all t G Typ( 17 ). We write 
(77,77') G R^ if 77 G A^ ,rj' G and for all x G dom(r), (y(x) , y' (x)) G R^^^\ 
The composition of relations R C A x B and R' C B x C is defined by type-wise 
composition of R and R'. The exponential relation of R^ and R'^ is defined by 

R^ R^' = {(/, g) G A^^^' X B^^^' I V(x, y) e R^ . (/ x, yev) & R"'}- 

Pre-logical relations were proposed by Honsell and Sannella[8], and are a gener- 
alised notion of logical relations. In this paper, we adopt the following definition of 
pre-logical relations^ . 

Definition 5 (Pre-logical Relations[8]). A relation R C A x B is pre-logical if 

1 . C R~^ R~^ , or equivalently for all (/, g) G and (x, y) G R^ , the 

pair (/ X, g *b u) included in R'^ , and 

2 . for all c’’ G Csk , the pair (c)^, Cg) is included in R'^. 

We contrast the above to the definition of logical relations. A logical relation is a type- 
indexed family of binary relations R satisfying ^ R^ and for each 

o’" G C, Cg) G R^. Thus when we give a logical relation, we perform the following 

* Originally pre-logical relations were defined over lambda applicative structures, which is a 
general class of set-theoretic models of the simply typed lambda calculus. In the case that 
the underlying models are combinatory algebras, the definition coincides with definition 5 as 
observed in [8]. 
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steps: we first give a relation R on base types, then extend it to higher-order types using 
the above scheme and check whether the interpretations in A and B of each of the 
constants are related hy R. In contrast, the dehnition of pre-logical relations lacks right- 
to-left inclusion in the above scheme^. Thus it allows flexibility of choice of relations 
at higher-order types. We note that logical relations are also pre-logical relations, since 
the above scheme implies that the relation R relates S, K comhinators at all types. 

In [ 8 ] various characterisation of pre-Iogical relations are studied. One notable char- 
acterisation is via the basic lemma. 

Theorem 1 (Basic Lemma for Pre-logical Relations [8]). Let R C A x B. Then 
V(? 7 , rj') G R^ .{A\M\rj, . 8 |M]? 7 ') G R'^ holds for any well-formed term F \~ M : t if 
and only if R is a pre-logical relation. 

Another notable property of pre-logical relations is that the composition of two pre- 
logical relations is again a pre-logical relation. 

Theorem 2 (Composability of Pre-logical Relations[8]). Let R C A x B and R' C 

B X C be pre-logical relations. Then RoR'CAxC is a pre-logical relation. 

2.4 Partial Equivalence Relations 

Recall that a PER (ranged over by E) over .4 is a relation E C A x A such that 
for all T G Typ(A'), E'^ is symmetric and transitive. We write the domain of E'^ by 
\E'^ \ = {x G \ {x, x) G E'^}. Then E'^ is just an equivalence relation over \E'^\, so 
we write [x] for the equivalence class of a: G \E'^\ hy E'^ and AjE'^ for the quotient 

\E^\jE^. 

When a PER E C .4 x .4 is pre-logical (or logical), we call E a pre-logical (or 
logical) PER. The quotient of a combinatory algebra by a pre-logical PER is again a 
combinatory algebra. 

Proposition 2 ([8]). Let E be a pre-logical PER over A. 

1. The tuple (Aj E, [(— )^]) where [x] * [j/] = [x y] is a E -combinatory algebra. 
We call this the quotient of A by E, and write it by A/E. 

2. Let r \- M : T be a well-formed term and rj G A/E^ . Then A/ E\M\rj = 
[.4|M]p] where p G A^ and p(x) G rj{x) for all x G dom(T). 

Definition 6 (Projection). We define the projection relation II (E) C A/E x A as the 
following 'T'yp{E) -indexed family of binary relations: 

n(EY = {([e],e) G A/E^ x A" | e G \EY}- 

Lemma 1. The projection 11(E) is a pre-logical relation. 

Proof. Clearly 11(E) relates all constants in Csk- Erom the definition of pre-logical 
PERs, E is closed under the application operator. Therefore 11(E) is so as well. □ 

^ Indeed, the reverse direction is required to hold only for lambda-definable elements because 
of the presence of the comhinators in the set of constants. 
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3 Behavioural Equivalence and Pre-logical Relations 

Behavioural equivalence identifies two models showing the same behaviour in response 
to all observations. Each observation compares the values of two terms of observable 
types, whose values are directly accessible to programmers. This definition of obser- 
vation formalises the use of experiments to detect the difference of behaviour of visi- 
ble data types between two models. Thus, intuitively speaking, if two models are be- 
haviourally equivalent, they provide the same programming environment to program- 
mers, even though they may have different implementations of invisible data types. 

We establish a link between behavioural equivalence and pre-logical relations. The 
result is a natural extension of [8] to allow free variables of observable types, and an 
extension of [12] to handle higher-order types. 

The definition of behavioural equivalence is adapted from [7]. There are other pos- 
sibilities for the treatment of free variables, but we do not discuss them. For detail, see 
[7]. We fix a set OBS C Typ(27) called the observable types. We first introduce an 
auxiliary notion of OBS'-surjective environment. 

Definition 7. An Oi? S'-surjective environment between A and B is a tuple {F, p, p') 
where F is an OBS-context and p G and p' G B^ are environments such that 

im(p) = UreOBS^^ andim{p') = UreOBS^^- 

We say A is OBS-countable if the set UtgObs countable. 

We note that if there exists an OBS-smjective environment between A and B, then A 
and B are OBS'-countable. This is due to the cardinality of the set of variables. 

Definition 8 (Behavioural Equivalence). We say A and B are behaviourally equiv- 
alent w.r.t. OBS (written A =obs B) if there exists an OBS -surjective environ- 
ment {F, p, p') between A and B such that for any r G OBS and well-formed terms 
F h M, N : T, we have .4|M]p = .4|W]/9 ,8|M]p' = ,8|iV]/9'. 

We also give another formalisation of behavioural equivalence. We first introduce a 
program equivalence in a model, then we say two models are behaviourally equivalent 
if the program equivalence in both models coincides. 

Definition 9. L Let F be an OBS-context, r G OBS and F h M, N : t be well- 
formed terms. We write A\=F\~M^N:t if for all rj G A^, we have 
AlMjr] = AlNjr]. 

2. We write A ~o bs B if = B~^ for any r G OBS, and for any OBS-context F, 
T G OBS and well-formed terms F h M, N : t, we have A \= F \- M ^ N : 
T B F G M ^ N ■. T. 

We introduce observational pre-logical relations to characterise behavioural equiva- 
lence (c.f. Schoett’s correspondence [12]). 

Definition 10 (Observational Pre-logical Relations). An observational pre-logical re- 
lation R C Ax B w.r.t. OBS is a pre-logical relation such that for all t G OBS, 
R'^ C A'^ X B'^ is a bijection. 

Proposition 3. Let R C A x B and S C B x C be observational pre-logical relations 
w.r.t. OBS. Then Ro S is an observational pre-logical relation w.r.t. OBS. 
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The following theorem characterises behavioural equivalence in terms of observational 
pre-logical relations. Simultaneously, it shows that the two formalisations of be- 
havioural equivalence coincide^. 

Theorem 3. The following are equivalent : 

1. A =OBS 

2. A and B are OBS-countable and A ^obs 

3. A and B are OBS-countable and there is an observational pre-logical relation 
R Q Ax B w.r.t. OBS. 

Proof. (Sketch) (1 2) The assumption implies that there exists an OBS'-surjective 

environment {r,p,p'). From this, A and B are Oi?S'-countable. We then define for 
each T £ OBS, : A'^ ^ B^ by h'^{a) = p'{xa), where Xa £ dom(r) is a variable 
such that p{xa) = a. We can show h'^ is well-defined and gives an isomorphism. Next 
we show B\=A\-M^N: T implies ^|=Z\hM the reverse direction 

is by symmetry. Let p' £ B^. From the dehnition of OBS'-surjective environment, for 
all X £ dom(Z\), there exists yx £ dom(T) such that p'{x) = p'{yx)- Then we dehne 
an environment p £ A^ by p{x) = p{yx) and a variable renaming a by cr(a;) = yx- 
Now we have ^|Mcr]p = ^|M ]?7 = ^| 7 V ]?7 = ^|A^cr]p. This implies , 8 |M]? 7 ' = 
B{Ma\p' = B\Na\p' = from A =obs B. 

(2 3) From A ^obs ■S, we can choose bijections Rf for each r G OBS 

satisfying (^|M],,8|M]) £ Rq for all 0 h M : r. Then it is easy to see that the 
following relation R C Ax B is an pre-logical relation: 

R^ = {(^|M]p, BlMjp') I r is an OBS-context A R \- M : t A {p, p') £ Rq) 

where R^ is clearly a bijection for each r G OBS. 

(3 1) Since A and B are OiJS'-countable, for each r G OBS and each pair 

(e, /) G i?’’, it is possible to assign a distinct variable x^ j. Then we define an OBS- 
surjective environment {r,p,p') by B{x'^ j,) = t, p{x~^ j,) = e and p'{x'l = f. The 
goal A =OBS B follows from lemma 1. □ 

Example 2. We construct a logical relation Rset Q Aset x Bset from the following 
relations at base types: 

j^bool -^^bool j^nat 

RSet ^ g X (N ^ 5'’°°') \Vx.x£X ^ f{x) = tt} 

We can easily show that R relates the interpretation of all constants, and by definition, 
it is bijective on {6oo(, nat}. Therefore we have Aset ={booi,nat} ^set- 

Example 3. In [9], the notion of constructive data refinement is formalised in terms of 
the existence of a pre-logical relation. They demonstrate that an implementation S of 

^ The proof of theorem 3 does not rely on particular properties of combinatory algebras. Thus 
we can expect that it holds over lambda applicative structures. 

In fact 2 3 still holds when dropping the condition that A and B are OBS-countable. 
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real number computation in the programming language PCF forms a data refinement in 
their sense; for any model B of PCF, there exists a model A of real number computation 
such that A and B\s (the h-reduct of B) are closed observationally equivalent w.r.t. bool. 
To show this, they give an actual construction of A and R C ^ x B\s from any PCF 
model B, where i? is a pre-logical relation but not a logical relation. For details, see 
[9]. We believe that we can replace closed observational equivalence with behavioural 
equivalence and we can still construct a model A such that A =[hooi} B\s- 

4 Indistinguishability Relations 

We introduce an equivalence of values called indistinguishability based on their be- 
haviour rather than their denotation. We regard two values in a model as “behaviourally” 
indistinguishable if they are interchangeable in any program. This is shown by perform- 
ing a set of experiments; we fit one value into a program yielding a visible result, and 
see whether any difference is detected when we exchange the one with the other. If two 
values pass the above experiment over all possible programs, then we say that they are 
indistinguishable. This identification of values is more suitable to provide an abstract 
aspect of specifications. 

There are several ways to formalise the above idea. In this paper we adopt the same 
definition of indistinguishability as [7] for combinatory algebras. 

Definition 11 (Reachable). Let r G Typ(27). A value v £ is OBS-reachable if 
there exists an OBS-context B, a well-formed term B \- M : t and p G such that 

V = ^|M]p. 

Definition 12 (Indistinguishability Relation). Let r G Typ(Z'). We say two values 
v,w G A~^ are indistinguishable (written v w) if they are OBS-reachable and for 
any OBS-context B, t' G OBS, p G A^ and well-formed term B, x : t \~ M : t', we 
have ^|M]p{a; u} = ^|M]p{x w}. 

The indistinguishability relation is defined on each combinatory algebra. Thus « gives 
rise to a family of PERs indexed by CA{E). The results in this section are proved for 
only one combinatory algebra, but readers may regard them as statements for the family 
of indistinguishability PERs. 

In Aset, X y implies x = y. We note that is a partial equivalence 

relation but not a total one since infinite sets of natural numbers are not OBS'-reachable. 

Theorem 4. The indistinguishability relation is a pre-logical PER such that = 

Id. 4 T for all T G OBS. 

Proof. (Sketch) It is easy to see that is a PER which relates all constants and is 
Id^ for all T G OBS. We show it is closed under application. We assume / 

and x^^y. Let B be an OBS'-context, t" G OBS, B, z : t' \~ M : t” bt a well- 
formed term and p G A^ . Since e is OBS'-reachable, we can write e = ^|S ]?7 with a 
well-formed term E and an environment such that dom(p) n dom(r 7 ) = 0. Then from 
proposition 1 and x~'f^y, we have e • a;} = A\M[Ew / z\\{p U rj){w ^ 

x} = .4|M]/9{z e* 1/}. We can similarly swap e and /. Thus we obtain e» x~aI*V- 

□ 
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By analogy with the terminology of denotational semantics, a I7-combinatory algebra is 
fully abstract when the indistinguishability relation on A and the set-theoretic equality 
coincide (the proof is omitted). 

Theorem 5. The quotient model A/~j^ is K,-fully abstract, i.e. for all t G Typ(ii’) 
and a,b G a = b iff a b. 

5 Factorisability 

We have seen two approaches to obtain abstract models of specifications; behavioural 
equivalence on the one hand and indistinguishability relation on the other hand. Both 
of them naturally arise from the motivation of reasoning about specihcations from a 
behavioural point of view. Thus we are interested in considering their relationship. The 
key idea is the notion of factorisability[4]. 

Definition 13 (Factorisability). Let E be a CA{E)-indexed family ofPERs and = be 
an equivalence relation over CA(27). Then 

- = is left-factorisable by E if for all A,B G CA(Z'), AjEj^, = BjE^ A = B. 

- = is right-factorisable by E if for all A,B G CA(27), A = B AfEjx = 

B/Eb. 

We say = is factorisable by E if both of the above hold. 

In this section we show that behavioural equivalence is factorisable by the indistin- 
guishability relation. First we prove left-factorisabilty. 

Theorem 6 (Left-Factorisability). A =obs B. 

Proof. A/~j^ = Bj^B implies Aj^j^ =obs BJ^b. From theorem 4, we have 
A/^a =obs a and B/k^b =obs B. Thus A=obs B by transitivity. □ 

In [7], Hofmann and Sannella represented the indistinguishability relation and the “ex- 
periments” for behavioural equivalence in a higher-order logic, then showed that the 
satisfiability of the experiments coincide in each model when quotients of two mod- 
els are isomorphic. However this approach seems not to work in this paper, since their 
method depends on the finiteness of specifications to represent the indistinguishabil- 
ity relation, while combinatory algebras have a countably inhnite number of types and 
S, A-combinators. 

The proof of right-factorisability is essentially the same as the one in [7]. 

Theorem 7 (Right-Factorisability). A =obs B A/^a — Bj^^B. 

Proof. (Sketch) From A =obs B, there is an observational pre-logical relation R C 
Ax B w.r.t. OBS. Now we dehne a relation h C A/^a X B/^b- 

h'^ = {{A/~a\^\PiB/~b\M\p') I 7” is an OAS'-contextAT h M : rf\{p, p')gR^} 

We can show that h gives a partial injection in both directions. Moreover, all elements 
in A/~a and Bj~B are OAS'-reachable. Therefore is total and surjective, i.e. is 
bijective for each r G Typ(A’). It is easy to see that h is a A-isomorphism. □ 
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6 Higher-Order Logic to Reason about Higher- Typed Languages 

We consider a higher-order logic to reason about specifications in the higher-order 
typed languages. We introduce two models of the higher-order logic; one is the stan- 
dard model, which equates two programs when they have the same denotations, and the 
other is the behavioural model, which equates two programs when they have the same 
behaviour. The latter model is useful when we reason about specifications based on be- 
haviour of programs. We then relate standard satisfaction and behavioural satisfaction. 

6.1 Syntax 

The higher-order logic considered in this section is designed to reason about combi- 
natory algebras over a signature E. Thus the logic has constants for the application 
operator • and S, iT-combinators corresponding to those in combinatory algebras. 

The syntax of the higher-order logic can be formalised in the framework of the 
simply typed lambda calculus — it is just a lambda calculus over a certain signature 
(which is an extension of E) providing a type of propositions and constants for logical 
connectives. 

Although we can reuse definitions, syntax and terminology of the simply typed 
lambda calculus, we re-define them for higher-order logic to make it clear which calcu- 
lus we are talking about. We use a different function type symbol instead of and 
write Typ^ ([/) for the set defined by BNF (j> ::= b \ (f> ^ 4> where b G U. 

Definition 14 (Higher-Order Logic). The syntax of higher-order logic over E is given 
by the syntax of the simply typed lambda calculus over the signature Ehol = (Uhol, 
Chol) defined by: 

Uhol = U Typ(27) 

Chol = u \ f g Typ^iUnoL)} 

U I r,r' G Typ(r)} U Csk 

We may omit types of constants in superscripts if they are obvious from the context. The 
constants D, = and • are used as infix operators. 

We call types of Ehol formula types (ranged over by (j>) and terms of Eho l formulas 
(ranged over by F). In this logic, a lambda term M is represented by a formula M^j^, 
which is a combinatorial representation of M by constants in Csk and 

Lambda abstraction plus logical constants D and = are powerful enough to derive 
other familiar logical constants such as tt, ff, -i, A, V, 7 ^ and quantifiers Vx : (j> . F and 
3x : 4> . F. See [1] for the definition and the axioms for the logical constants. 

Example 4. The higher-order logic considered in this section is dedicated to reasoning 
about the combinatory algebras providing the semantics of the lambda calculus. Thus 
the higher-order logic has the axiom schema for S and K combinators (see definition 
2). We may need to add extra axioms depending on the properties of the underlying 
combinatory algebra. If one assumes that it is a Henkin model, one adds the axiom 
scheme of extensionality: Vx, y : t ^ tC (Vz :T.x»z = yz)Ex = y. 
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In the higher-order logic over we would like to assume the induction principle 
for type nat\ 

Vp : not ^ n . p 0 D (Va; : not . p x D p(succ • x)) D Vx : not . p x. 

We can also specify the behaviour of constants, like 
isempty • 0 = tt 

Vp, q : nat bool, s : set . filter • p • (filter • q • s) = filter • q • (filter • p • s) 

Proof systems for the higher-order logic and its soundness and completeness are not 
covered in this paper. For details see [6] . 

6.2 Standard Satisfaction and Behavioural Satisfaction 

We apply the semantic framework of the simply typed lambda calculus to give seman- 
tics to the higher-order logic. A model of the higher-order logic, say A4, is built on top 
of a combinatory algebra A. Constant symbols for combinatory algebras such as S, K 
and • are interpreted by the corresponding elements S'^, and Do not confuse 
the underlying combinatory algebra A and the model Ai of the higher-order logic. 

We introduce two models. One is the standard model which interprets $2 as the 
two-point set 2 = {tt,ff}, the function type as the set-theoretic function space, D as 
the (curried form of) boolean implication and = as the (curried form of) characteristic 
function of set-theoretic equality. 

Definition 15 (Standard Model). The standard model Ca of the higher-order logic 
over A is a SnOL-fall type hierarchy over = 2 and L'^ = A'^ together with the 
following interpretation of the logical constants: 

= ^ x = y 

=x*Ay 

cpA = (c^ € Csk)- 

Wh say that a closed formula F : is satished (written A\= F) (/'C_ 4 |F'] = tt. 

The other model is the behavioural model w.r.t. a pre-logical PER E over A. The 
standard model is not appropriate when we want to reason about specifications up to 
their behaviour rather than their denotation. This is because the equality may distinguish 
two different denotations even though they have the same behaviour. The behavioural 
model solves this problem by interpreting each predicate type f as \E^\ where E is the 
extension of E to all predicate types using the exponential relation, and the equality as 
the equivalence relation E over |F1| . In particular, E is often taken as the indistinguisha- 
bility relation over A (see theorem 4). 

Definition 16 (Behavioural Model). Given a pre-logical PER E over A, we define a 
PER E over carrier sets La as follows: 
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Then the behavioural model of the higher-order logic over A with respect to E is 

given by a E ho L- type frame {L^, (— )£e) where = \E'^\ and gives the 

interpretation of the logical constants as follows: 

(^x){y) = tt {x = tt y = tt) 

(x)(j/) = tt ^ 

^A 

= x*Av 

A 

C^E = (c’" € Csk)- 

^A 

We say that a closed formula E : Cl is satisfied w.r.t. E (written A \=^ E) = 

tt. 

We show that the standard model over A/ E and the behavioural model over A w.r.t. 
E satisfy the same formula (c.f. theorem 3.35 in [7]). We notice that this is implied by 
Ej^jE ={o} E\, since from Cj^jE ={fi} E^, for all closed formula F, we have 
Ca/eM = J^A/eM = tt ^ E^lFl= £5|tt] = tt. 

Theorems. Ea/e ={«} ^a- 

Proof (Sketch) We construct an observational pre-logical relation R C i^A/E X i^A 
W.r.t. {n} by theorem 3. First we show that there is a family of isomorphisms h'^ : 

= L'^/E'^ for the carrier sets of Eaie- Let C x \E'^\ be the inclusion 
relation. Then the pre-logical relation in question is given by the composition relation 

tt‘^o77(F)'^o/'^ C X □ 

Corollary 1. For all closed formula E : FI, A/ E \= F iff A \=^ F. 

1 Reasoning about Specifications 

We revisit the model theory of behavioural and abstractor specification studied in [4]. 
Behavioural equivalence =obs is factorisable by the indistinguishability relation « 
(theorem 6), and for any A G CA(27), A/~ is fully abstract (theorem 5). The latter 
implies that is a regular relation^. One important consequence from this setting 
is the following relationship between behavioural and abstractor specification. Due to 
space limitations, we only state the theorem without giving the definitions of symbols. 
For details, see [4]. 

Theorem 9 (Bidoit et al. [4]). Let SP = (27, <E) be a specification, where is a set of 
formulas in the higher-order logic over 27. Then we have: 

Mod(behaviour SP w.r.t. «) = (FA“(Mod(5'P))) 

Mod(abstract SP w.r.t. =obs) = Mod(behaviour SP/~ w.r.t. «) 
Th“(Mod(behaviour FP w.r.t. «)) = Th(FA“(Mod(S'P))) 
Th“(Mod(abstract SP w.r.t. =obs)) = Th(Mod(S'P/«)) 

Proof See theorem 5.16, 6.8 and 7.4 in [4]. □ 

^ A C A (27) -indexed family of PERs E is regular if A/Ea is fully abstract (see [4]). 
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Related Work 

The work by Bidoit, Hennicker and Wirsing[4] established the key idea of factorisability 
to relate behavioural equivalence and the indistinguishability relation, and they used this 
to reason about the semantics of behavioural and abstractor specifications. Subsequent 
work by Bidoit and Hennicker[3] discussed a proof method for showing behavioural 
equivalence in first order logic, and considered finitary axiomatisation of behavioural 
equality. The above work is extended by Hofmann and Sannella[8] to higher-order 
logic. This work is an extension of their work from first-order 17-algebras to combi- 
natory algebras. Bidoit and Tarlecki[5] gave a categorical generalisation of [4]. See the 
end of section 5 for comments on the relationship to the present paper. 

Our characterisation of behavioural equivalence is related to Mitchell’s representa- 
tion independence theorem[10]. Honsell and Sannella[8] removed the restriction on the 
constants by using pre-logical relations instead of logical relations. This paper shows 
a similar result about behavioural equivalence, which subsumes closed observational 
equivalence. 

In [5], Bidoit and Tarlecki give a relationship between behavioural satisfaction, be- 
havioural equivalence, indistinguishability and correspondences in an abstract setting 
using concrete categories (a faithful functor to the category of (type-indexed) sets). 
By instantiating their concrete categories with various real examples, such as the cat- 
egory of multi-sorted algebras and regular algebras, we can derive suitable notions of 
behavioural equivalence, indistinguishability, etc. and theorems on them. 

We can instantiate their abstract framework with the category of i7-combinatory 
algebras CA(i7), and obtain various results on behavioural equivalence and indis- 
tinguishability. Pre-logical relations correspond to spans (moreover correspondences), 
and pre-logical PERs correspond to partial congruences in their terminology. Category 
CA(27) satisfies certain properties®, thus we can obtain a theorem characterising be- 
havioural equivalence via correspondences (see theorem 28 of [5]). 

Their definitions of indistinguishability and behavioural equivalence are abstract: 
they define the indistinguishability relation as the largest congruence over the full 
subobject (|A|obs).4 of A. Then behavioural equivalence is defined by A =obs ^ iff 
Aj = B I^B- In contrast, in this paper we give an explicit definition of behavioural 
equivalence and indistinguishability, and show the relationship between them in an ele- 
mentary way. 

8 Conclusion 

We have extended the study of the relationship between behavioural equivalence and 
indistinguishability [4, 7] to the simply typed lambda calculus, where higher-order types 
are available. We characterised behavioural equivalence between two combinatory alge- 
bras by pre-logical relations, and showed that behavioural equivalence is factorised by 
indistinguishability. We also showed that standard satisfaction over A/ E is equivalent 
to behavioural satisfaction w.r.t. a PER E over A. 

® Category CA(X') admits renaming and has full subobjects and surjective quotients. All full 
subobjects are compatible with CAjUj-morphisms. Pullbacks preserve surjective quotients, 
and quotients are fully compatible with subobjects in CA(I7). 
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It is interesting to restrict the class of models from combinatory algebras to Henkin 
models, where the extensionality axiom holds. This changes the properties of the class 
of models; in particular it is not closed under quotient by pre-logical PERs. It will be 
interesting to see how behavioural equivalence and the indistinguishability relation are 
characterised in the class of Henkin models. 
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Abstract. In this paper, we propose new structuring concepts for rule- 
based systems that are independent of the type of rules and of the type 
of configurations to which rules are applied. Hence the concepts are ap- 
plicable in various rule-based approaches allowing one to build up large 
systems from small components in a systematic way. 



1 Introduction 

In many areas of computer science (like term rewriting, theorem proving, logic 
programming, functional programming, knowledge representation, algebraic 
specification, graph transformation, theory of formal languages, etc.), data- 
processing systems of various kinds are frequently modeled by means of rules. 
The basic features are always alike. There are configurations (like strings, terms, 
trees, graphs, sets, etc.) to represent the states of systems, and there are rules 
which can be applied to configurations yielding configurations. In this way, each 
rule provides a binary relation on configurations, and an operational system 
semantics is obtained by sequential composition of these relations - usually 
obeying some kind of control condition in addition. But a common understand- 
ing of the structuring of rule-based systems seems to be missing. For exam- 
ple, the area of algebraic specification is rich in structuring concepts (see e.g., 
[EM85, EM90, AKK99]), but their semantics is usually based on the notion of 
an algebra which is not available in other rule-based approaches. In functional 
and logic programming, rules can be grouped together under the heading of a 
function or a predicate, which is not possible in other approaches. 

In this paper, we propose the notions of transformation units and transforma- 
tion modules as structuring principles that can be used within many rule-based 
approaches. A transformation unit encapsulates a set of rules accompanied by 
specifications of initial and terminal configurations as well as a control condition. 
Moreover, it may import other transformation units for structuring purposes. 
The semantics of a transformation unit is given as a binary relation between 
initial and terminal configurations by interleaving rule applications and calls of 
imported units according to the control condition. 

A collection of transformation units which are closed under import form a 
network of transformation units. The semantics of such a network is given by the 
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iteration of the interleaving semantics. This allows to broadcast the interleaving 
effects at the nodes along the network struture to other nodes. Under suitable 
circumstances, the iterated interleaving semantics is a fixed point. A network 
becomes a transformation module if it is provided with an import interface and 
an export interface. 

The introduced concepts of transformation units and transformation mod- 
ules generalize our respective notions for graph transformation approaches (see 
[KK96, KKS97, KK99a, KK99b, DKKKOO, HHKKOO]). 

The running example, illustrating the new structuring concepts, is taken from 
the area of algebraic specification and term rewriting and specifies a balancedness 
test for binary trees as a transformation module. 



2 Transformation Units 

In this section, we introduce the notion of a transformation unit as a means to de- 
compose a system with a large set of rules into a family of subcomponents which 
use each other. The notion is independent of a particular rule-based framework. 
This is achieved by assuming an underlying rule base which comprises a domain 
of configurations, a class of rules, and a rule application operator describing 
how a rule is applied to a configuration. Moreover, there are configuration class 
expressions to describe initial and terminal configurations, and control condi- 
tions to specify rule application strategies. A rule base provides the syntactic 
and semantic components of which transformation units and their behaviour are 
put together. A transformation unit encapsulates a set of rules together with 
a control condition and descriptions of initial and terminal configurations. For 
structuring purpose, it has a set of identifiers which refer to imported entities. 
Semantically, a transformation unit specifies a binary relation between its initial 
and terminal configurations. The relation is obtained operationally by inter- 
leaving rule applications and calls of imported items according to the control 
condition. It is well-defined whenever some choice of binary relations on configu- 
rations is fixed for the import identifiers. In this sense, the interleaving semantics 
of transformation units is generic, and many choices of the imported parameters 
are possible. The typical case that the identifiers refer to other transformation 
units is discussed in Section 3. 



2.1 Syntax and Semantics 

1. A rule base B consists of a class /C of configurations, a class TZ of rules, a 
rule application operator yielding a binary relation =^>j.C 1C x 1C for each 
r € TZ, a, class S of configuration class expressions where each e C £ specifies 
a subclass SEMe{c) C /C, and a class C of control conditions where each c G C 
specifies a binary relation SEMe{c) C /C x /C. In the latter two cases, the 
semantics depends on the environment E, i.e. a choice of a binary relation 
E{id) C /C X /C for each id G ID where ID is a given set of identifiers. 
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2. A transformation unit over a rule base is a system tu = {I,U, R,C,T) 
where / and T are configuration class expressions specifiying initial and 
terminal configurations, U is a, finite set of import identifiers, i? is a set of 
rules, and C is a control condition. Moreover, each rule r G R has got an 
identifier id{r) G ID with id{r) ^ U. 

3. Let SEM be a mapping associating a binary relation on configurations, 
SEM{id) C 1C X JC, to each id G U. Then a transformation unit tu = 
{I, U, R, C, T) defines a binary relation INTERsEM{tu) 1C x 1C such that 
{con, con') G INTERsEM{tu) if and only if 

- con G SEME(tu,SEM){I), con' G SEME(tu,SEM){T), 

— there is a sequence of configurations cono, ■ ■ ■ , conm such that con = 
cong, con' = conm, and, for i = 1 , . . . , to , 

• {coni-i, coni) C SEM{id) for some id G U, or 

• coni-i =^r coni for some r G R, 

~ {con, con') G SEME(tu,SEM){C) 

where the environment E{tu, SEM) is given by E{tu, SEM){id) = SEM{id) 
for id G U,E{tu, SEM){id) = if Id = id{r) for some r G R, and 
E{tu, SEM){id) = 0 otherwise. 

Sequences of rule applications and calls of imported items (as considered 
above) are called interleaving sequences, and the resulting semantic relation 
INTER sEM{tu) is called interleaving semantics of tu (with respect to SEM). 

A rule base provides the most elementary syntactic and semantic prerequi- 
sites of a rule-based specification language. As in nearly all rule-based settings, a 
rule defines a binary relation on the domain of configurations to which it can be 
applied. In addition, we assume features to specify subdomains and subrelations. 
They may use identifiers to refer to rules and imported units. Therefore, the se- 
mantics of configuration class expressions and control conditions depends on the 
semantics of the named entities. This is reflected by arbitrary environments on 
the level of the rule base while the interleaving semantics of a transformation 
unit depends on special environments where only the import identifiers are still 
variably interpreted. The identifiers of rules are fixed according to the rule ap- 
plication operator, and all other identifiers are interpreted by the empty relation 
such that no interference can happen. 

In this paper, we consider regular expressions over ID as only control con- 
ditions. Identifiers are atomic conditions allowing to apply a rule or to call an 
imported entity. And if e and e! are control conditions, e ; e', e | e' , and e* are 
also control conditions allowing to require certain sequences, alternatives, and 
iterations, respectively. Every environment E is recursively extended to all reg- 
ular expressions by sequential composition, union, and Kleene-star closure of bi- 
nary relations: SEMe{c; e') = SEME{e)o SEMe{c'), SEMe{c \ e') = SEME{e)U 
SEMe{c'), and SEMe{c*) = {SEMe{c))* using initially SEME{id) = E{id) for 
id G ID. In this way, regular expressions control the order in which rules are 
applied and imported units are called. For a finite set of identifiers, there are 
regular expressions that admit any order. We are using this case as a default 
control condition, denoted by OK. 
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As a typical kind of configuration class expressions, we use T C ID specifying 
the set REDe{T) of reduced normal forms with respect to the environment E: 
con € REDe{T) if and only if there are no t G T and con' G /C with (con, con') € 
E{t). The set T is also denoted by red{T) to stress that reduced normal forms 
are specified. If each t G T is the identifier of a rule r{t) and E{t) = 
then RED e{T) contains all reduced normal forms with repect to a given set of 
rules. Such reduced normal forms are often used as terminal configurations in 
the area of term rewriting. We are using the symbol all as default expression 
with SEME(all) = JC for all environments E. It may be considered as a special 
case of reduced normal forms because REDe{^) = 1C. 

Given a transformation unit tu = (/, U, R, C, T) with [/ = 0 or with an 
environment E such that E(id) = 0 for all id G U, interleaving sequences are 
nothing else than ordinary derivation sequences composed of rule applications 
only. In other words, the notion of transformation units generalizes all kinds of 
rule-based systems which are given by sets of rules. It allows one to use other 
semantic relations besides the local rules to perform computations. There are 
several possibilities to interpret the import part C/ of a transformation unit tu: 

— The elements of U may be identifiers of transformation units that are known 
in the context, for example, as entries of a library of transformation units 
stored for reuse. If such imported units specify a unique semantic relation, 
the interleaving semantics of tu is also uniquely determined. 

— The same applies in a heterogeneous setting where the import identifiers refer 
to some known entities (specifications, programs, etc.) that are interpreted 
by binary relations whatsoever. 

~ If an import identifier does not refer to a known item, it may be specified as 
tu itself. This leads to the notion of a network of transformation units which 
use each other. This case is considered in more detail in the Section 3. 



2.2 Examples 

Chomsky grammars. Given an alphabet E, the set E* of all strings over E can 
serve as a class of configurations, and the set E* x E* of all pairs of strings as 
a class of rules. Then a rule r = {u, v) G E* x E* can be applied to w G E* 
yielding w' G E* if there are x,y G E* with w = xuy and w' = xvy. In other 
words, w => 1 . w' is the usual notion of a direct derivation of semi-Thue systems 
and Ghomsky grammars. Moreover, one may use S G E and T Q E as string 
class expressions with SEM{S) = {S'} and SEM{T) = T* and OK as only 
control condition which accepts everything, i.e., SEMe{OK) = E* x E* for all 
environments E. 

A transfomation unit over this rule base of the form G = OK, T) is 

just a Ghomsky grammar. The interleaving sequences are ordinary derivations, 
and the elements of the interleaving semantics have the form (S, w) with S =^p w 
and ic G T*. In other words, the projection to the second component yields the 
language generated by G. If a grammar is very large, it may be helpful to define 
it in a structured way by breaking up the set of rules into small units. 




Approach-Independent Structuring Concepts for Rule-Based Systems 303 

Term rewriting. Let S = (S', OP) be a many-sorted signature where S is a set 
of sorts and OP an S* x S-sorted set of operators. Let X be an S-sorted set of 
variables. Then the S-sorted set of terms over E with variables in X, Ts{X), 
provides a class of configurations. The set of all pairs Ts{X) x Ts{X) may be 
used as a class of rules. Such a rule r = (L,R) - also written L — >• i? - is applied to 
a term in the usual sense of term rewriting: Let to be a context term with a single 
occurrence of a variable, and let ass: X — >■ Ts{X) be an assignment of terms to 
variables, then to[-b[ass]] to[S[ass]] where to[t] denotes the substitution of 
the single variable of to by t, and t[ass] is obtained from t by substituting all 
variables according to the assignment. 

Alternatively, one may use only ground terms as configurations, i.e. in- 
stead of Ts{X). In this case, a rule application requires an assignment of the 
form ass : X — >■ . 

Together with the control condition OK and reduced normal forms, term 
rewriting provides a rule base. A transformation unit over it of the form spec = 
{all, 0, R, OK, red{id{R))), where id{R) contains the identifiers of the rules of R, 
is a term rewrite system in the ordinary sense (see, e.g., [HO80, Kir99]). 

Often, the aim of a term rewrite system is to evaluate terms of a particular 
form like op{ti, . . . , t„) where op G OP and t\, . . . ,tn are constructor terms. To 
be able to specify such initial terms, we consider pairs to on Eq with to G Tjj{X) 
and Eo Q E as term class expressions. The semantics of to on Eo is given by 
all substitutions with Ap-terms, i.e. SEM{to on Eo) = {to[ass] I ass:X — >• 

This is independent of the environment. 

As an explicit example of a term rewrite system in form of transformation 
units, we specify a predicate on binary trees that tests whether the input tree 
is totally balanced or not. The idea is to compute the height of the tree and its 
“balance” which is the height up to which the tree is totally balanced and then 
to check the equality of the two values. To illustrate the role and effect of the 
import component, height, balance, and the equality test on natural numbers 
are imported. 

is-balanced 

initial: is B balanced on bintreeg 

uses: height, balance, nat 

rules: {test) is B balanced — >■ height{B) = balance{B) 

terminal: red{test, height, balance, nat) 

where test is the name of the rule and B is a variable of sort bintree. As 
generally introduced above, the underlying rule base is given by the signature 

bintree = alphabet + nat-k 

sorts: bintree 

opns: leaf: A — >■ bintree 

(—,—,—): bintree A bintree — >■ bintree 
height: bintree — >■ nat 
balance: bintree — >■ nat 
is — balanced: bintree — >■ bool 
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where alphabet provides the sort A and nat the usual arithmetic on natu- 
ral numbers including minimum min, maximum max, and an equality test =. 
The subsignature of bintree given by alphabet, the sort bintree and the two 
operations leaf and (— , — , — ) is denoted by bintreep. 

Starting an interleaving sequence with the initial term is b balanced where 
b is some bintreeg-term, like for example {{leaf (e), a, leaf ft)), p, leaf (s)), one 
can apply the rule and gets height{b) = balance{b). This is already the result if 
the imported relations are empty. If height and balance refer to relations that 
allow to replace subterms of the form height {b) and balance {b) by nat-terms, 
then we can call these relations one after the other obtaining m = balance{b) 
(or height{b) = n) and m = n. If finally nat provides a relation that evaluates 
m = n and yields some truth value, then this can be called. To end up with 
a reduced normal form, the four steps are also necessary. Whether the result 
is correct, depends on the correctness of the imported relations, which may be 
specified analogously. 



height 

initial: 

uses: 

rules: 

terminal: 



height{B) on bintreeg 
nat 

{hi) height{a) — >■ 0 

(ft-2) height {{L, a, R)) — >■ 1 + max {height {L), height {R)) 
red{h\, h 2 , nat) 



balance 

initial: 

uses: 

rules: 

terminal: 



balance{B) on bintreeg 
nat 

(61) balance{a) — >■ 0 

(62) balance{{L, a, R)) — >■ 1 -I- min{balance{L) , balance{R)) 
red{bi,b2, nat) 



With respect to the input identifier nat, we assume that the correspond- 
ing relation is available in the context, as a predefined transformation unit, for 
example. 



Graph transformation. The area of graph transformation provides a great variety 
of rule-based approaches (see e.g., [Roz97, EEKR99, EKMR99]) because there 
are many types of graphs and many ways to apply rules to them. As we have 
introduced originally the concepts of transformation units for arbitrary graph 
transformation approaches, which are special cases of rule bases, our consider- 
ations in [KK96, KKS97, KK99a] provide many examples in the more general 
setting of this paper, too, including, for instance, a structured specification of 
the Floyd- Warshall algorithm for shortest paths and a graph colouring algorithm 
in the style of constraint programming. 



3 Transformation Modules 

The basic idea of transformation units is to specify a semantic relation by the 
interleaving of local rules and imported relations. If these relations are known 
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in the context, the interleaving semantics describes the situation properly. But 
what about the case that the import identifiers refer to other transformation 
units which are not predefined, but are defined at the same time or level as the 
actual transformation unit? What happens in particular if there is a cycle in the 
import structure of a collection of transformation units? To handle such cases, 
we introduce networks of transformation units and aggregate and iterate the 
interleaving semantics over the networks. This allows to start even with empty 
relations and to broadcast the computational effects at the nodes of the net along 
the net structure. 

While a transformation unit specifies a single binary relation on configura- 
tions, a network provides a family of such relations, one for each node. Some of 
these relations may be of particular interest while others are of an auxiliary na- 
ture. Hence it is meaningful to distinguish between units of interest and auxiliary 
units by means of an export interface which consists of a subset of nodes of the 
network. Moreover, some of the nodes of the network may refer to transformation 
units which are already known in the context and are reused by the network. 
This can be described by an import interface. A network of transformation units 
together with import and export interfaces is a transformation module. Seman- 
tically, it specifies a family of relations on configurations, one relation for each 
export node. This is obtained by the restriction of the iterated interleaving se- 
mantics of the network to the export interface. The resulting relations depend 
on the semantics of the import interface. 

It is actually quite easy to extend the notion of the interleaving semantics to 
a network of transformation units: Assuming that each node has got a semantic 
relation, one can just construct the interleaving semantics for each node using the 
semantic relations of the imported units for interleaving. And because this yields 
a semantic relation for each node, the process can be repeated as often as one 
likes. Unfortunately, it is not always adequate to use the interleaving semantics of 
an imported node to build up the interleaving semantics of the importing node. 
In the second example of Section 2.2, height specifies a relation with entries 
of the form {height{b),n) where b is some bintreep-term and n some nat-term. 
But in the evaluation of is b balanced height{b) = balance{b), height{b) occurs 
in a larger context so that the height-relation cannot be called directly. It must 
be modified and adapted before it can be applied. To overcome such problems, 
we allow reconstructions of relations before they are called in the interleaving 
semantics of a network. 

3.1 Networks of Transformation Units 

A network of transformation units is a system N consisting of a set V C ID and 
a mapping tu that assigns a transformation unit tu{id) = {lid, Uid, Rid, Cid,Tid) 
to each id € V such that Uid C V, i.e. each transformation unit of N imports 
transformation units of N. 

N can be seen as a directed and node-labelled graph with V as the set of 
nodes, tu as the node labelling and a set of edges containing a pair {id, id') £ 
U X U if and only if id' G Uid- 
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If all local transformation units of N have got semantic relations, i.e. there is 
a mapping SEM: V — >■ 2^^^ the interleaving semantics INTERsEM\Uid{tu{id)) 
is defined for each id G V where SEM\Uid is the restriction of SEM to U id - In this 
way, the interleaving semantics is extended to the interleaving operator INTERq 
with INTERo{SEM):V given by 

INTERo{SEM){id) = INTERsEM\u,AH^d)) 

for id G V. 

Alternatively, one can consider an aggregating interleaving operator INTERi 
that keeps the given semantic relations and adds the interleaving effect. This 
means INTERi(SEM): — >■ 2^^^ is defined for id G V hy 

INTERi{SEM){id) = SEM{id) U INTERo{SEM){id). 

Moreover, if p-,2^^^ — >• 2^^^ is some construction on binary relations of 
configurations, both interleaving operators can be modified in such a way that 
the relations F{SEM{id)) for id G V are used in the interleaving instead of 
SEM{id). Formally, INTERf for i = 0, 1 is defined for SEM and id G V hy 
INTERf {SEM){id) = INTERi{F o SEM){id) where F o SEM is the sequential 
composition of SEM followed by F. 

Each of the variants of the interleaving operator is a function mapping a 
mapping from V to 2^^^ into a mapping from V to 2^^^ and, therefore, can be 
iterated ad infinitum. Explicitly, let INTER be some interleaving operator and let 
ITERATEo(N): V — >■ 2^^^ be some mapping associating an initial relation to 
each node of N. Then we get a sequence of such mappings ITERATE i{N)-. V — >■ 
2 /Cx/c defined inductively by ITERATE i+i{N) = INTER{ITERATE,{N)). Its 
union ITERATE (N): E — 2'*“^'*“ given by 

ITERATE {N){id) = |J ITERATE ,{N){id) 

ieiN 

for each id gV called iterated interleaving semantics. 

The interleaving operators import semantic relations and interleave them 
with the relations of the local rules. The resulting relations depend on the import 
so that the iterations of the interleaving operator may produce new results. The 
following second example shows that this can go on ad infinitum. 

3.2 Examples 

Term rewriting continued. The transformation units is-balanced, height, bal- 
ance, and nat in Section 2.2 form a network. 




1 2^CxK denotes the set of all binary relations on configurations 
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To discuss its iterated interleaving semantics, let us consider INTERi^ as 
underlying interleaving operator where CC is the context closure of pairs of 
terms, i.e. CC{P) for P C Tz:{X) x Ts{X) contains all pairs (to[T], to[-R]) for 
(L,R) G P and all context terms tg- We may assume that nat is predefined 
with the ordinary evaluation of nat-terms as semantic relation. Choosing this 
relation as ITERATE o (nat) , it does not change in further steps of iteration 
provided that nat is properly specified. If the initial semantics of the other 
three nodes is empty, ITERATE i contains everything that is computed by rule 
applications and calls of nat. For height and balance, this is already the final 
semantics because there are no further interleaving sequences than those in the 
first step. In particular, ITERATE 2 {is-halanced) makes use of it such that all 
proper computations take place in this step. No further interleaving sequences 
can appear in further steps. 

It can be shown by induction on the length of interleaving sequences that 
height computes the length of the longest paths in a binary tree and bal- 
ance the height of the largest totally balanced subtree. Hence, a binary tree is 
totally balanced if and only if both values coincide. Exactly this is tested by 

is- balanced. 

Binary trees as a recursive domain. To illustrate the effect of cyclic import, we 
consider a transformation unit that imports itself. 

tree 

initial: 0 

uses: tree 

rules: leaf, make 

conds: leaf \ (tree ; make) 

terminal: all 

To keep things simple, the underlying rule base is tailored just for this ex- 
ample. The configurations are sets of binary trees. There are two rules, leaf 
and make. If applied to a set B of binary trees, they yield leaf{B) = A and 
make{B) = BU {{L,a,R) \L,R,G B,a G A} where A is some label alphabet. 
There are two domain expressions, 0 and all the meanings of which are inde- 
pendent of the environment: SEM{%) = {0}, and SEM(all) contains all sets of 
binary trees. 

Accordingly, each interleaving sequence starts with the empty set of bi- 
nary trees. The control condition requires that either leaf is applied or tree 
is called and then make applied. In the first case, the result in always A inde- 
pendent of the actual semantics of tree. This means that in particular (0, A) G 
ITERATE i{tree) for z > 0 even if we start with ITERATE octree) = 0. 

The second case does not apply in the first step because tree refers to 
the empty relation. Hence, ITERATE i{tree) = {(0,A)}. And in the second 
step, there is another interleaving sequence: 0, A, make{A), such that ITERATE 2 
(tree) = {(0, A), (0, mafce(A))}. In each further step, we can add another ap- 
plication of make such that ITERATE i{tvee) = {(0, mafce^(A)) |0 < j < z}. 
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Moreover, it is easy to see that make {A) contains all binary trees up to the 
height i. In other words, tree specifies a generation process for binary trees in 
a way similar to the domain equation TREE = A + TREE ■ A ■ TREE. 

3.3 Some Properties 

Given a network of transformation units N = {V, tu), let us consider the in- 
terleaving operator INTERf for some construction — >• 2^^^ with 

rel C F{rel) for all rel C 1C x JC. This means that F extends every given rela- 
tion as the context closure in our term rewrite example. Obviously, the identity 
on 2/Cx/c 

is such an extending construction such that the interleaving operator 
INTERi is a special case. 

Because F extends relations, INTERi extends every family of relations 
SEM: V 2^^^: SEM C F o SEMC INTERi{F o SEM) = INTER^{SEM). In 
particular, the following holds: ITERATE,{N) C INTER^ {ITERATE i{N)) C 
ITERATE,+i{N) for i G IN, and ITERATE{N) C INTER^ {ITERATE {N)). 

This means that the iteration of the interleaving semantics yields an infi- 
nite increasing chain and the iterated interleaving semantics is extended by the 
interleaving operator INTERi . 

If the network is acyclic, the nodes can be numbered by levels inductively. 
Nodes the transformation units of which have an empty import component get 
level 0. And if all import identifiers of some node id G V have got a level and m 
is the maximum, then id has level m -I- 1. By induction on the levels, it is easy 
to show that the iteration of the interleaving semantics becomes stable. More 
precisely, the following holds for each id G V with level to: 

ITERATE m+i{N){id) = ITERATE m+k{N){id) for all A: G IN. 

In contrast to that, the iteration may increase forever in networks with cyclic 
import as the last example above shows. But if the modifier F behaves nicely, 
the increase of the process of iterated interleaving stops for ITERATE{N). More 
precisely, let F be monotonic, i.e., F{rel) C F{rel') for all rel C rel', and con- 
tinuous, i.e., A(Ujg]NreZi) = Ujg]NA(re^i) for all increasing chains of relations 
relo C reli C • • •. Then the iterated interleaving semantics is a fixed point of the 
interleaving operator: 

ITERATE{N) = INTER^ {ITERATE{N)). 

The inclusion from left to right is shown above. The inclusion from right to 
left can be seen as follows: 

INTERS {ITERATE {N)) =(i) IN TERi{F o ITERATE {N)) 

=(2) INTERi{F o[j.^i^ITERATE,{N)) 

=( 3 ) INTERi{[j^^^ F o ITERATE, {N)) 

C( 4 ) [ji^i^INTERi{F o ITERATE, {N)) 

=(5) UieiN inters {ITERATE,{N)) 

=(6) [^^^l^ITERATE,+l{N) C(7) ITERATE{N) 
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The equalities 1, 2, 5, and 6 and the inclusion 7 hold by definition. The equal- 
ity 3 follows from the continuity of F. Finally, the inclusion 4 follows from the 
fact that each interleaving sequence using relations of UjgiNF’ o ITERATE i{N) 
is also one using only relations of F’ o ITERATE ^{N) for some fc G IN. 



3.4 Transformation Modules 

If one looks at the term rewriting example of Section 3.2 the nodes of a network 
of transformation units play different roles. The node nat refers to a standard 
data type and should be available in the context. Hence it may belong to the 
import interface. The node is-balanced and maybe also the node height are 
units of interest while the node balance is rather of an auxiliary nature useful 
for internal purposes, but not meaningful for the public. Therefore, it should not 
appear in the export interface. This consideration leads to the following notion. 

A transformation module is a system MOD = (IMPORT , BODY ^ EXPORT) 
where BODY is a network of transformation units with the node set Vbody, 
and IMPORT and EXPORT are subsets of Vbody- 

The semantics of a module is given by the semantics of its body restricted to 
the export where the semantics of the import can be chosen arbitrarily. Formally, 
let SEM: IMPORT ^ he a mapping, and let INTER be some interleaving 
operator. Then SEMmod- EXPORT — >• 2^^^ is defined for all id G EXPORT 
by 

SEMMOoiid) = ITERATE (BODY){id) 

where ITERATE o{BODY) is given by ITERATE o{BODY){id) = SEM(id) for 
id G IMPORT and ITERATEo(BODY){id) = 0 otherwise. 

4 Conclusion 

In this paper, we have made an attempt at providing structuring principles for 
rule-based systems that are independent of a particular rule-based framework. 
The proposal has been guided by our earlier investigations of structuring con- 
cepts for graph transformation systems. But the presented notions are different 
and more general in several significant respects: 

— Most obviously, we are no longer assuming graphs as underlying structures, 
but arbitrary configurations. 

— The semantics of configuration class expressions may depend on the envi- 
ronment. This allows one, for example, to introduce reduced normal forms 
with respect to imported relations. 

— In a network and hence in a transformation module, the transformation units 
define each other by calling each other within interleaving sequences. But 
instead of calling just the interleaving semantics, a preprocessing may take 
place in advance to adapt the interleaving semantics in some proper way. As 
an example, it may be closed under context to make it locally applicable. 
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— Moreover, the interleaving operator is provided with a cumulative effect ex- 
plicitly by keeping the input relations and adding the outcome of interleaving 
to them. 

On the syntactic level of transformation units and transformation modules, the 
proposed structuring concepts are of a simple nature: Transformation units can 
be imported and exported by a kind of call- by-reference. On the semantic level, 
the structure is reflected by the interleaving semantics that computes a binary 
relation on certain types of configurations for each transformation unit in a net- 
work. In suitable circumstances, the iterated interleaving semantics is a fixed 
point of the interleaving operator such that further investigations can be under- 
taken on a sound mathematical fundament. 

The interleaving semantics is based on the sequential composition of relations 
such that transformation units and modules may be suitable for the modeling 
of sequential systems. Another direction of future research will be the general- 
ization of the semantics in such a way that the modeling of parallel, concurrent, 
and distributed systems is covered. A first step in this direction has been done 
in [KK02] where graph transformation units are provided with a distributed 
semantics. 
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Abstract. Notions of observability and reachability induce a relation 
of indistinguishability on the models of specifications. We show how to 
obtain, in a systematic way, from a given institution, an institution that 
respects this indistinguishability relation. Moreover, observability and 
reachability are treated in formally dual way. 



Introduction 

This paper is concerned with combining notions of observability/reachability 
with institutions. Notions of observability and reachability play a major role in 
specification and verification. From the point of view of the user or specifier, such 
notions introduce an equivalence relation of indistinguishability on the models 
(implementations) of specifications: the user/specifier wants to reason only up 
to this equivalence. 

Institutions [10] are logics which allow to reason about models for different 
signatures which is essential to achieve modularity. The central question of the 
paper is, therefore: 

Given a notion of observability or reachability and our favourite 
institution, is there a systematic way to build an institution re- 
specting the corresponding relation of indistinguishability? 

The aim of this work is twofold. First, to provide one possible answer to the 
question raised above. Second, following the ideas in [6], to show that observ- 
ability and reachability can be treated in a formally dual way. 

We proceed in three steps and establish four conditions which are sufficient for 
a positive answer to our question, leading to the notion of black-box institution. 
Section 1 formalises observability and reachability by taking a black-box point 
of view. In case of observability, we assume that for each model M, there is a 
black-box view BM, also called the behaviour of M, together with a quotient 
M BM. Dually, in case of reachability, we assume that for each model M, 
there is a black-box view RM , also called the reachable-part of M, together with 
an embedding RM M . The corresponding definitions introduce Conditions 

(1) and (2). 

Section 2 extends the considerations from categories to indexed categories, 
that is, functors Mod : Sig°^ ^ CAT. For this, we have to add Condition (3) 
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stating that taking behaviours/reachable-parts commutes with reindexing (tak- 
ing reducts). 

Section 3 shows that we can extend our favourite ‘standard’ logic to a logic 
respecting the appropriate indistinguishability relation by requiring Condition 
(4) which states that a model satisfies a formula if the black-box view standardly 
satisfies the formula. This leads to the notion of black-box institutions, answering 
the question above in a positive way. 

Section 4 shows that our framework applies indeed to our motivating exam- 
ples of observational logic [13], constructor-based logic [5] and COL [4]. 

We conclude with a discussion of related work. The technical notions are 
recalled in an appendix reviewing categorical duality, indexed categories and 
institutions, and fibred categories. 

Acknowledgements. I gratefully acknowledge valuable remarks of Michel 
Bidoit, Rolf Hennicker, and the anonymous referees. 



1 Notions of Behaviour and Reachable-Part 

Our first task is to formalise observability and reachability in a way that is 
suitable for the concerns of the paper. To establish a formal duality we use the 
language of category theory which is briefly reviewed in appendix A. 



1.1 Observability 

Many notions of behaviour found in the literature can be described abstractly 
by two simple properties. 

Definition B 1 Let C be a category. Given an operation B on the objects of C 
and a family of arrows rj = (j]m ■ M — > BM)m^C) we call {B^rf) a notion of 
behaviour for C iff 



all rjM are epi (1) 

VM, N £ C there is (•)** : C{M, BN) C{BM, BN) such that f^ o tjm = f (2) 

Note that the operation (-)t* is uniquely determined due to (1). In case that 
C is a concrete category we call two elements of M behaviourally equivalent, 
and write x y, iff VMix) = rjMiy)- Intuitively, (1) expresses that every model 
M has a quotient BM which we call the behaviour of M; (2) is pictured as the 
left-hand diagram below 



BM — ^ BN BM ^ BN 




M^r^N 



M 
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and expresses that morphisms in C preserve behavioural equivalence. Indeed, 
for g : M N in C, we have, as indicated in the right-hand diagram above, 

X y ^ vm{x) = rjM{y) ^ {pN o gf ° rjM{x) = (r]N ° g)^ o TiMiy) ^ 

m{g{x)) = iiN{g{y)) ^ g(x) ~at g(y). 

Here are some straightforward examples, more will follow later. 

Example 1. 1. A well-known example is provided by the category of determin- 

istic automata (without initial states, see [20] for details), BM being the 
minimal realisation of an automaton M and r]M M ^ BM mapping a 
state in M to the state in BM that accepts the same language. 

2. In the category of labelled transition systems, a notion of behaviour is given 
by the quotient BM of a transition system M wrt the largest bisimulation. 

3. More generally, subsuming the above, for any set-endofunctor T, the category 
Coalg(T) of T-coalgebras [21] has a canonical notion of behaviour. For any 
T-coalgebra M, BM is given by the image factorisation M BM ^ Z of 
the unique arrow M —> Z into the final T-coalgebra Z 

4. Consider the signature for stacks over elements E given by new : 1 ^ X, 
push : E X X ^ X, pop : X ^ X + 1, top : X ^ E + 1. Define a relation 
of observational (or behavioural) equivalence by x ~ y iff top{pop^{x)) = 
top{pop^{y)) for all n G N. Let C be the category consisting of the structures 
(X, top, pop, push, new) for which ~ is a congruence^. Define BM to be the 
structure identifying all observationally equal states. Note that the array- 
pointer implementation and the standard model have the same behaviour. 

Note that the last example is different from its predecessors in that C there has 
no final object due to the liberty in implementing new and push. 

A notion of behaviour on C gives rise to two related categories, the category 
C® consisting of all behaviours and the category Cb consisting of all models but 
seen from the point of view of their behaviours. 

Definition B 2 Consider a notion of behaviour B on C. 

— is the full subcategory of C consisting of all objects M with M = BM. 

— Cb has the same objects as C and morphisms Cb{M,N) = C{BM,BN). 

Intuitively, C consists of all possible realizations of a specification whereas C® 
only contains the black box views. Cb combines both aspects. The models are 
the same as in C but the morphisms incorporate the black box view, Cb{M, N) = 
C{BM, BN). 

Example 2 ( Observational Logic). Our motivating example is observational logic 
[13]. In observational logic, each signature S determines a set of state sorts and a 

^ The final coalgebra always exists [1] although its carrier may be a proper class. 
Avoiding the Hnal coalgebra, BM can be defined as the quotient wrt the largest 
behavioural equivalence or as the co-intersection of all quotients of M. 

^ That ~ is a congruence means that using all operations does not allow us to distin- 
guish more states than using only top and pop. 
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notion of observational equality for each state sort. The class C of models, called 
observational algebras, of a signature allows to take for any algebra A & C the 
quotient BA of A wrt the observational equality induced by Sig. The important 
point to note about the category Cs is that its morphisms coincide with the 
observational morphisms of [13]. Since, on state sorts, a morphism maps a state 
to an equivalence class of states, these morphisms can be described as relations 
as in [13]. 

The reader not familiar with monads [19] can skip the next proposition and 
continue with its corollary and the following example. The proposition charac- 
terises notions of behaviour as monads whose unit is componentwise epi and 
shows that these monads are idempotent. In our context, idempotence means 
idempotence of taking behaviours, ie, BBM = BM . 

Proposition B 3 There is an hijection between notions of behaviour and mon- 
ads whose unit is componentwise epi. Moreover these monads are idempotent. 

Proof. Given a notion of behaviour {B,rj) with lifting (-)®, we show that {B,r], 
(•)!*) is a Kleisli triple^. By definition of a Kleisli triple one has to check for all 
g : M ^ BN,f : L BM the laws (i) / = /# o rjM, (n) = idsM, (iii) 

{g^o fY = g^o f^. This is straight forward. Conversely, it is immediate that every 
Kleisli-triple {B,rj, (•)**) (and hence monad) with rjM epi gives rise to a notion 
of behaviour {B,t]). Finally, to see that these monads are idempotent, that is, 
that the multiplication pM is iso, apply Condition (2) to / = idsM and use 
Condition (1). (Details of the proof can be found in [16], Lemma 2.2). 

The fact that B is an idempotent monad determines the structure described 
in the following corollary. 

Corollary B 4 Let (B,ri) be a notion of behaviour for C . There are functors 



B" 



Cb 

where B' , B" , and G map an object to its behaviour, I' is the inclusion of 
behaviours, and H is the identity on objects, all satisfying I' B' = B = GH , 
B" H = B' , I' B" = G. Moreover, rj is a natural transformation, behaviour is 

® There is a well-known bijection between Kleisli triples and monads. The monad 
{B, g, p) associated to the Kleisli triple {B, g, (•)**) is given as follows: B is defined on 
arrows as Bf — {gN °/)** for f ■. M ^ N and pm = (idsiu)** for M £C. Conversely, 
given a monad (B,g,p), the Kleisli triple is (B, 77, (■)**) with /** = pM ° Bf for 
f :M ^ BN. 




316 



A. Kurz 



left adjoint to inclusion {B' H I'), B" is an equivalence of categories, and is 
a full reflective subcategory ofC. 

Proof. The category of algebras for the monad is (isomorphic to) C® since the 
multiplication is iso. The Kleisli-category is (isomorphic to) Cb- It now follows 
from B being a monad: fimctoriality, the equations, the adjunctions, naturality 
of 77 , and B" full and faithful. Since the multiplication is iso, every object in 
C® is isomorphic to an object in the image of B” , hence B" is an equivalence. 
C® is a full reflective subcategory due to the bijection between full reflective 
subcategories and idempotent monads. (See [7], Vol.2, Proposition 4.1.6 and 
Proposition 4.2.3 for proofs of the facts we used). 

Example 3. 1. In the case of deterministic automata, is (equivalent to) the 

category of languages^, B' can be understood as mapping an automaton 
to the language it accepts and I' as mapping a language to the minimal 
realising automaton. The insight that behaviour is left-adjoint to minimal 
realisation, B' H is due to Goguen [11]. 

2. Continuing Example 2, the ‘observational black-box functor’ of observational 

logic appears here as Cb C^ Alg(T'). It is full and faithful since B" 
is full and faithful. Moreover, the category of fully abstract algebras is a 
full reflective subcategory of the category C of observational algebras. 



1.2 Reachability 

(R,s) is a notion of reachable-part for C iff (7 ?°p,£°p) is a notion of behaviour 
for C°P In detail: 

Definition R 1 Let C be a category. Given an operation R on the objects of C 
and a family of arrows e = (em '■ RM M)meC, we call (R,e) a notion of 
reachable-part for C iff 

all Em ore mono 

WN, M £ C there is (•)** : C{RN, M) — > C{RN, RM) such that em ° f^ = f 

In case that C is a concrete category we call an element x oi M reachable 
iff X is in the image of Em- Intuitively, the dual of (1) expresses that every model 
has a submodel RM which we call the reachable-part of M . The dual of (2), 
see the left-hand diagram below. 



RM ^ RN RM RN 




* More precisely, given an alphabet S, objects are subsets L C S* ordered by inclu- 
sion. 

® The (•)°P-notation is explained in appendix A. 
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expresses that morphisms in C preserve reachability. Indeed, with the notation 
of the right-hand diagram above, an element y in TV is reachable iff there is y' 
in RN with EM{y') = y- Now, iox g ■. N ^ M it holds that g{y) = g o £M{y') = 
£m{{9 ° that is, g{y) is reachable. 

Here is a typical example of reachability: 

Example 4- 1- In the category of deterministic automata (with initial state), 

there is an operation R mapping an automaton M to the automaton RM 
which contains only states reachable from the initial state. 

2. More generally, given a signature for algebras, there is the operation R map- 
ping an algebra M to the algebra RM which contains only elements which 
are denoted by a term. 

Dualising Definition B 2, we obtain categories and Cr- The objects of 
are called reachable, an interpretation of the morphisms of Cr is given in the 
remark following the definition. 

Definition R 2 Consider a notion of reaehable-part R on C. 

— is the full subcategory of C consisting of all objects M with M = RM. 

— Cr has the same objects as C and morphisms Cr{M,N) = C{RM, RN). 

Remark 1. In categorical language a partial map X Y with domain D can 
be described, see the left-hand diagram. 



D RN 




Y X M N 



as a mono D ^ X and a map D ^ Y. Because a morphism RN RM of Cr 
can be considered as a morphism RN ^ M the right-hand diagram shows 
that morphisms in Cr are partial morphisms defined on reachable-parts. 

Example 5 (Constructor-Based Logic). Our motivating example is constructor- 
based logic [6]. In constructor-based logic, each signature E determines a set of 
constrained sorts along with a set of constructor operations (defining how to con- 
struct elements of constrained sorts). The class C of models, called constructor- 
based algebras, of a signature allows to take for any A G C the reachable-part 
(called generated part in [5]) RA of A . The constructor-based morphisms of 
[6] coincide with the morphisms in Cr. Their distinguishing feature is that they 
are, on constrained sorts, partial functions defined only on the reachable-part. 

® It follows from Corollary R 4 below (or directly from the dual of Conditions (1) and 
(2)) that C{RN, RM) —> C{RN, M), f i— > em o /, is a bijection, the inverse given by 
(•)“• 

^ Compared to earlier treatments of reachability, the distinguishing feature of 
constructor-based logic is that models are not required to be reachable, operations 
only have to preserve reachability. 
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It follows from the duality principle and Proposition B 3 that notions of 
reachable-part coincide with comonads having a counit that is componentwise 
mono and that these comonads are, moreover, idempotent. Idempotence means 
here idempotence of taking reachable-parts, ie, RRM = RM . 

Proposition R 3 There is a hijeetion between notions of reachable-part and 
comonads having a counit that is componentwise mono. Moreover, this comonads 
are idempotent. 

Corollary R 4 Let (R,e) be a notion of behaviour for C . There are functors 



R" 



Cr 

where R' , R" , and G map an object to its reachable-part, I' is the inclusion of 
reachable-parts, and H is the identity on objects, all satisfying I'R' = R = GH , 
R" H = R' , I'R" = G. Moreover, e is a natural transformation, restriction to 
reachable-parts is right adjoint to inclusion (T R'), R" is an equivalence of 
categories, and is a full coreflective subcategory of C. 

2 Notions of Behaviour and Reachable-Part 
for Indexed Categories 

In a second step we extend our notions of behaviour /reachable-part from cate- 
gories to indexed categories. 

2.1 Observability 

We require a notion of behaviour for each index and that reindexing preserves 
behaviours. 

Definition B 5 (Notion of Behaviour for Indexed Categories) Given a 
functor Mod : Sig°*’ ^ CAT we call a family B = {Bs,ris)i:^s\g o, notion of 
behaviour for Mod iff each {Bs,rjs) is a notion of behaviour for Mod(E) and 
for all arrows a : S ^ E' and all M' € Mod(E') an isomorphism making the 
diagram 




B{Mod{a){M')) = ^ Mod{a)(B{M')) (3) 



VMod(<j)iM') 



Mod{a){M') 
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commute. We write B for respectively, the subscripts being clear from 

the context. 

Intuitively, (3) states that Mod{a) preserves behaviours. The habit of avoid- 
ing the subscripts of Bs' , Bs comes from an equivalent formulation of the above 
definition in terms of fibred categories (aka fibrations). The reader not familiar 
with fibred categories may continue with Corollary B 8. 

The following definition generalises the characterisation of notions of be- 
haviour given by Proposition B 3 from categories to fibred categories. 

Definition B 6 (Notion of Behaviour for Fibrations) Let p \ C ^ X be a 

fibration. A fibred monad {B, rj, p) on p is called a notion of behaviour for p iff 
all rjM, M gC, are epi. 

Remark 2. The concept of a monad with componentwise epi unit makes sense 
for any 2-category. Definition B 6 formulates the instance in the 2-category of 
fibrations over X whereas the previous section dealt with the instance in the 
2-category of categories. 

One advantage of Definition B 6 is that monads on fibrations are easier to de- 
fine than monads on indexed categories and hence the analogue of Corollary B 4 
comes more natural in terms of fibrations. But before going into this let us first 
sketch the equivalence of the two definitions. 

Proposition B 7 Definition B 5 and Definition B 6 are equivalent. 

Proof. The proof is a corollary to the equivalence of (non-split) indexed cate- 
gories and cloven fibrations, see eg [12]. We sketch the argument for our special 
case. Let Mod : Sig°^ ^ CAT be a functor and p : C ^ Sig the corresponding fi- 
bration obtained via the Grothendieck-construction. We give a bijection between 
notions of behaviour for Mod and p. First, given (B, rj, p) on p we define B^ and 
rjs as the restriction of B and rj to the fibre over E. Condition (3) is satisfied 
since B preserves cartesian arrows. Second, given {Bs,rjs), we can extend B to 
all of C as follows. Every morphism f : M ^ N inC over a : E ^ S' can be fac- 
tored as (to/I where a is cartesian over a and /I is vertical. Let Bf = ctoctatoB/I 
where a is cartesian over a in BN and ctat is the (unique) iso given by Condition 
(3). Thanks to Condition (1), the isomorphism (jjv given by Condition (3) is 
natural in N and satisfies = idsN and (t”o^jv = Mod{g){&N) ° QMod(a){N)- 
Chasing the obvious big diagram now shows that B is indeed a functor. B is 
fibrewise a monad due to Proposition B 3 and preserves cartesian liftings by 
construction. □ 

A pleasant consequence of the proposition is that we now obtain a version of 
Corollary B 4 for indexed categories. Indeed, let B = {Bs,rjs)s£S\g be a notion 
of behaviour for Mod : Sig°^ CAT. By Proposition B 7, we can extend B to a 
monad B on the total category C of the fibration p corresponding to Mod. Now 
we can apply Corollary B 4 to C and B. 
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B 




Cb 



Moreover, we know (see [16], Proposition 4.18) that C® and Cb are fibred over 
Sig, that is, there are fibrations and pb making the diagram above into a 
diagram in the (2-)category of fibrations over Sig. Translating the diagram back 
to indexed categories, it follows that the constructions of Corollary B 4 extend 
from categories to indexed categories. 

For future reference we record (recall Definition B 2 for the operations (•)'®^ 
and (-)ss) 

Corollary B 8 Let B = {BB,r]B)seS\g be a notion of behaviour for Mod : 
Sig°^ — *■ CAT. Then there are functors Mod^ : Sig°*’ ^ CAT, S Mod{S)^^ 
and Mode ■ Sig°^ — > CAT, S i— > Mod{S)Br- 

2.2 Reachability 

{Rs, £s)sGS\g is a notion of reachable-part for the indexed category Mod : 
Sig°^ — > CAT iff (i?i;°^, £i:°P) is a notion of behaviour for the dual indexed 
category Mod^° ®. In detail: 

Definition R 5 Given a functor Mod : Sig°^ ^ CAT we call a family R = 
{RE,£s)sGS\g o. notion of reachable-part for Mod iff each {Rs,£s) is a 
notion of reachable-part for Mod{S) and for all arrows a : S S' and all 
M' G Mod(S') an isomorphism making the diagram 



commute. We write R for Rs',Rs, respectively, the subscripts being clear from 
the context. 

Intuitively, the dual of (3) states that Mod{a) preserves reachability. 

A notion of reachable-part on a cofibration q is dual to a notion of behaviour 
on the fibration q°^, in detail: 

Definition R 6 Let q \ C ^ X be a cofibration. A cofibred comonad (i?, e, on 
q is called a notion of reachable-part for q iff all £m, M € C, are mono. 

® The definition of (-)™ is recalled in appendix B. 



Mod{a){R{M')) 



R{Mod{a){M')) 





Mod{a){M') 
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Proposition R 7 Definition R 5 and Definition R 6 are equivalent. 

Proof. Let Mod : Sig°^ — > CAT be a functor and q : C ^ Sig the correspond- 
ing co-fibration obtained via the co-Grothendieck-construction. Apply Proposi- 
tion B 7 to Mod'^° and 

Corollary R 8 Let R = {Rs,£s)i:^S\g bs a notion of reachable-part for Mod : 
Sig°P ^ CAT. Then there are functors Mod^ : Sig°^ — > CAT, E Mod{E)^^ 
and ModR : Sig°^ ^ CAT, E i— > Mod{E)n^. 



3 Institutions for Observability and Reachability 

In this section, we show how to obtain institutions whose satisfaction relation 
respects a given notion of behaviour or reachable-part. In order to treat both 
cases simultaneously, we call the behaviour/reachable-part of a model the black- 
box view of the model. 

We assume that we are given a ‘standard’ logic as eg first-order logic which 
we use to reason about black-box views and that we want to extend this logic to 
all models in a way such that formulas of the logic can not distinguish between 
a model and its black box view. 

Definition 9 LetC he a class (of models), V an operation onC (withEM called 
the black-box view of M € C), C a class (of formulas) and |j= C C x £ two 
relations. Then |j= is called the black-box view relation induced by (V, iff 

M [j= Lp VAf 1= Lp (4) 

We can now define the notion of a black-box institution. Recall that a notion 
of behaviour (reachable-part) V for an indexed category Mod : Sig°^ CAT 
is given by functors Vj; on Mod{E) satisfying (the dual of) Conditions (l)-(3). 
According to Definition B(R) 2 and Corollary B(R) 8, V and Mod give rise to the 
indexed categories Mod'^ and Mody, Mod'^ being the category of the black-box 
views. 

Definition 10 Let E he a notion of behaviour (reachable-part) for Mod and 
{Mod'^ , Sen, |=) be an institution and |= be the black-box view relation induced 
by (V, ^). Then {Mod, Sen, \=) and {Mody,Sen,\=) are the black-box insti- 
tutions induced by (V, ^). 

The definition is justified by the following theorem (we assume that institu- 
tions have satisfaction relations that do not distinguish isomorphic models). 

Theorem 1. //V is a notion of behaviour or reachable-part for Mod then Mod'^ 
and Mody are functors. Lf moreover, {Mod^ , Sen,\=) is an institution then 
{Mod, Sen, |=) and {Mody, Sen, |j=) are institutions. 
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Proof. The first part of the theorem is Corollary B 8. For the second part we have 
to show that for {Mod, Sen, |=) and {Mody, Sen, [|=) the satisfaction condition 
of institutions holds. The proof being the same in both cases, we pick the first. 
Let a ■. S ^ S' he & signature morphism, (f e Sen(S), M' G Mod(S'). We have 

Mod{a){M') [|= (/? y{Mod{a){M')) \= ip Mod{a){\/M') \= ip 

MM' 1= Sen{a){p) M' |= Sen{a){p). 

The equivalences are due to, respectively. Condition (4), Condition (3), the sat- 
isfaction condition for |=, and Condition (4). □ 

In the same way, we obtain theorems for combining notions of behaviour 
and reachable-part. For example, consider a situation where we start with some 
indexed category of models Mod and assume that we have a notion of reachable- 
part R for Mod and then a notion of behaviour on reachable algebras. The 
black-box view of a model M is then given by BRM and all black-box views are 
assembled in the indexed category {Mod^)^. As before, we suppose that we have 
a standard logic |= on black-box views that we want to transfer to all models, 
organised in the indexed categories Mod or {Mod r)b- 

Theorem 2. // R is a notion of reachable-part for Mod and B a notion of 
behaviour for Mod^ then {Mod^)^ and {ModRjs are functors. If moreover, 
{{Mod^)^, Sen, |=) is an institution and [|= is the black-box view relation induced 
by (BR, ^), then {Mod, Sen, H=) and {{ModR)s, Sen, are institutions. 

Proof. For the first part, note that a notion of behaviour B for Mod^ induces 
a notion of behaviour for the equivalent category Modn, justifying to consider 
{ModR)B. The second part is shown as for the theorem above. 

We have shown how to reduce the proof of institutions to the verification of 
Conditions (l)-(4). In all applications we will consider in the next section the 
verification of (1) and (2) is straightforward. Similarly, ||= is usually designed to 
satisfy (4). So the point is to carefully choose Sig in order to guarantee (3). 

4 Applications 

We sketch how our framework applies to the examples that motivated our pre- 
sentation, namely observational logic, constructor-based logic, and COL. 

Observational Logic. Observational logic was introduced in [13]. Our discus- 
sion refers to the presentation in [5]. Conditions (1) and (2) are satisfied, because 
the class of models, called observational algebras, is defined in such a way that 
the quotient wrt observational equality is again a model (cf. Definition 2.6 in 
[5]). Technically this is expressed by the requirement that observational equality 
is a congruence ([5], Definition 2.6) which in turn formalises the intuition that 
non-observer operations are not allowed to contribute to observations. Condi- 
tion (3) is satisfied because the category Sig has been defined in a way such 
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that reindexing preserves behaviours ([5], Corollary 2.19). Condition (3) can be 
understood as requiring that a signature morphism a \ S ^ S' from an ‘old’ 
signature 17 to a ‘new’ signature S' may not introduce new observations on old 
sorts (formalised as [5], Definition 2.14). Condition (4) appears as Theorem 2.12 
in [5]. 

Constructor-Based Logic. Constructor-based logic was introduced in [6] . Our 
discussion refers to the presentation in [5]. Conditions (1) and (2) are satisfied, 
because the class of models, called constructor-based algebras, is defined in such 
a way that the subsets of elements which are generated by constructors form 
a snhalgehra ([5], Definition 3.6 and 3.7). This formalises the intuition that 
the use of non-constructors cannot lead to elements which are not reachable 
by constructors. Condition (3) is [5], Corollary 3.19, and a consequence of the 
definition of Sig which can be phrased as ‘new constructors may not generate 
new elements on old sorts’. Condition (4) is Theorem 3.12 in [5]. 

Constructor-Based Observational Logic (COL). COL is introduced in [4]. 
COL consists of an integration of the two concepts above. Let us denote by Mod : 
Sig°^ — > CAT the indexed category consisting of all COL-algebras with standard 
algebra morphisms. Constructors and observers determine a notion of reachable- 
part R. For any COL-algebra A, RA. consists of all elements which are observably 
equal to an element generated by constructors. This yields an functor ModR. 
(Taking into account only constructible experiments,) observers then determine 
a notion of behaviour B on ModR, yielding the indexed category {ModR)s of 
COL-algebras with COL-morphisms. That COL now forms an institution follows 
from Theorem 2 by establishing Conditions (3) and (4). 

5 Conclusion 

The aim of this paper was to give a semantic analysis of how to obtain institutions 
respecting notions of observability and reachability. We formalised observability 
and reachability as notions of behaviour and reachable-part and showed how they 
give rise to black-box institutions. We believe that the simplicity of Conditions 
(l)-(4) defining black-box institutions, together with the duality inherent in our 
approach, provide a nice and unifying picture for several known examples of 
institutions. 

Nevertheless, it would certainly be interesting to find more instances of our 
framework. One possibility might be to look at generalisations. For example, our 
approach relied on the notion of an idempotent monad which is slightly more 
general than a notion of behaviour since the unit is not required to be compo- 
nentwise epi. Moreover, most results would also hold for monads in general. 

Institutions and Indexed Categories. On the one hand, we followed the 
tradition to say that, in an institution, Mod : Sig°^ ^ CAT is a functor (= 
split indexed category) and not a pseudo- functor (= indexed category). On the 
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other hand, in Definition B 5 it seemed more natural to consider isomorphisms 
in (3) rather than identity. But this means that B is a functor in the category 
of (non-split) indexed categories and not in the category of split indexed cate- 
gories. It therefore seems natural to allow pseudo- functors in the definition of an 
institution® . 

Induction and Coinduction. It is well-known that notions of behaviour and 
reachable-part give rise to coinduction and induction proof principles. On our 
level of abstraction, however, we cannot deal with these more concrete^® issues. 
On a more concrete level this has been done eg in [5] . 

Related Work. The duality of observability and reachability goes back to 
Kalman [15] in the context of linear systems in control theory. His results were 
generalised by Arbib and Manes [2, 3] to, essentially, algebras for an endofunctor 
on an arbitrary category. In [6] we took up their idea of duality of observability 
and reachability and applied it to specification formalisms. This paper continues 
[6] by showing that also the institution proofs for the observability and reacha- 
bility case can be obtained from each other by using a formal duality principle. 

The idea to use Conditions (l)-(4) to prove a general theorem about the 
existence of institutions appears in [16] where it was extracted from the proof 
of the observational logic institution in [13]. Compared to [16], which contains 
most of the technicalities used here, we have simplified matters by insisting 
on Condition (1) instead of working with idempotent monads in general and by 
moving the fibrations more into the background. More importantly, we show here 
that this approach fits nicely with the duality of observability and reachability 
and can also be applied to institutions which integrate both observability and 
reachability. 

Let us also note that our approach has been designed for cases where we start 
from a standard logic which is an institution but does not respect the black-box 
view. A different approach is to start with a logic which respects the black-box 
view and directly build an institution. This approach is natural, for instance, if 
modal logic is used as a specification language and the black-box view is given 
by bisimulation, for examples see [9,8, 17]. 
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A Categorical Duality 

We briefly review categorical duality, for background see [19]. A category C 
consists of a class of objects, also denoted by C, and for all A, B G C of a set 
of arrows (or morphisms) C{A,B). The dual (or opposite) category C°p has the 
same objects and arrows C°p(A, B) = C{B, A). We write A°p and /°p for A G C 
and / G C{B,A) to indicate when we think of A as an object in C°p and of / 
as an arrow in C°p(A, B). Duality can now be formalised as follows. Let P be a 
property of objects or arrows in C. We then say that: 

An object A (arrow /, respectively) in C has property co-P 
iff A°P (/°P, respectively) has property P. 

For example, a morphism / G C{A,B) is co-epi (usually called mono) iff /°p is 
epi. 

The duality principle extends to functors and natural transformations. The 
dual of a functor F : C ^ T> is the functor P°p : C°p ^ T>°^ which acts on objects 
and morphisms as F does. The dual of a natural transformation 77 = {tja) is 
77 °P = For instance, for an endofunctor F, the category of F-coalgebras 

is dual to the category of P°P-algebras; a functor F is left adjoint to G iff F°p 
is right adjoint to G°P; and (T,ri,e) is a comonad on C iff (T°p, ? 7 °p, e°P) is a 
monad on C°p . 



B Indexed Categories and Institutions 

For our purposes, unless stated otherwise, an indexed category over a (large) 
category X is a functor P[ : X°p ^ CAT to the (superlarge) category CAT of all 
large categories. 

An institution {Mod, Sen, \=) consists of an indexed category Mod over a 
category of signatures Sig, a functor Sen : Sig ^ Set, and for each signature 
A G Sig a satisfaction relation \=s C Mod{E) x Sen{E) such that for all a : 
E E' , all Lp G Sen{E), and all M' G Mod{E') 

Mod{a){M') \=s p M' \=s' Sen{a){p). 

This condition is called the satisfaction condition of institutions. Moreover, we 
require that Mi \=s p M 2 \=e P whenever Mi, M 2 are isomorphic. We 
usually write M \= p instead of M \=e p because the signature E can always be 
inferred from the signature of the model M. For more on institutions see [23]. 

Dual Notions. The dual of an indexed category FI : X°p ^ CAT is the indexed 
category : X°p ^ CAT given by H^°{u) = {Hu)°p : {HJ)°p {HI)°p for 
u : I ^ J. Note that the dual of FI as an indexed category is different from 
the dual iL°P of as a functor. 
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C Fibrations 

We briefly recall the basic notions of fibred category. This material is only needed 
for Definition B 6 and Proposition B 7. For more on fibred categories see [14, 7, 
22 ], 

A functor H : ^ CAT is called an indexed category, since for each ‘index’ 

I G X there is a category H{I) and for each arrow u : I ^ J in X there is a 
functor H{u) : H{J) H{I) ‘reindexing’ objects in H{J) along u. 

Alternatively, one can use a functor p : A ^ X to describe how objects of A 
are indexed over objects of X. Consider an arrow u : I J in X. We say that 
A is over I [f is over u] if p{A) = I [p{f) = u] and that / is vertical if p{f) is 
the identity. A is called the total category and the fibre over I is the category 
consisting of the objects over I and the vertical arrows between them. 

Using this terminology, we define a, fihration over X to be a functor p : A X 
such that for all rt : / ^ J in X and all A over J there is an object u*{A) and a 
so-called cartesian arrow u : u*{A) A over u, that is, for all / over u there is 
a unique vertical g such that uo g = f . Moreover, cartesian arrows are required 
to be closed under composition. 

A flbration is called a split fibration if it comes equipped with a choice 
u*{A) — > A of cartesian arrow for each u and A and, moreover, (idj)* is the 
identity functor and (u o v)* = v* o u* . 

There is an equivalence between functors X°p — > CAT and split fibrations 
over X. Given a split flbration p : A ^ X, define H{I) to be the fibre over / and, 
for u : I ^ JAA H{u) = u* . Given a functor H : X°p ^ CAT the corresponding 
flbration p : A ^ X is obtained via the Grothendieck construction as follows. 
The objects of A are pairs {I, A), I G X,A G H{I). Morphisms of A are pairs 
(m, /) : (I, A) (J, B) with u : I ^ J G X and f : A ^ {Hu){B). p : A — > X is 
the first projection. 

A fibred functor F : p ^ p' between fibrations p : A ^ X, p' : A' ^ X is 
a functor F : A ^ A' such that p'F = p and F preserves cartesian liftings. A 
fibred natural transformation between fibred functors is a natural transformation 
which has vertical components. 

Dual Notions. The functor q : A ^ X is a (split) cofibration (over I) iff 
< 7 °P : A°P ^ X'^P is a (split) flbration. There is an equivalence between indexed 
categories over X and split cofibrations over X°p . Given a functor H : X°'^ CAT 
the corresponding cofibration q : A ^ X°p is obtained via the co- Grothendieck 
construction as follows. The objects of A are pairs {I, A), I gX,Ag H{I). The 
morphisms of A are pairs (u, /) : {J,B) {I, A) with u : J ^ I G X°p and 

f : {Hum ^ A. 

Note that, given an indexed category H, the corresponding flbration p and 
cofibration q have identical fibres but the non- vertical arrows are generally differ- 
ent. The cofibration obtained from 77“° is dual to the flbration obtained from H. 

For examples of institutions which are more naturally associated with cofl- 
brations than fibrations, so called co-institutions, see [18]. 
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Abstract. We recall basic facts about the institution of multialgebras, 
A4A, and introduce a new, quantifier-free reasoning system for deriving 
consequences of multialgebraic specifications. We then show how A4A 
can be used for combining specifications developed in other algebraic 
frameworks. We spell out the definitions of embeddings of institution of 
partial algebras, VA, and membership algebras, A4SA4B into A4A. We 
also show an alternative relation, namely, institution transformation of 
VA into A4A and discuss its role as compared to the embedding. 



1 Introduction 

Multialgebras provide a powerful algebraic framework for specification - pri- 
marily, but not exclusively, of nondeterministic behavior [5,21,20]. A nondeter- 
ministic operation returns the set of all possible outcomes, so it is interpreted 
as a function from the carrier to the powerset of the carrier. We follow, and 
in few places generalize, the definitions of multialgebras from earlier works like 
[20,19]. We summarize earlier results on multialgebras in section 2 leading to 
the fact that they form an exact institution A4A, [15]. This result underlies the 
study of parameterized specifications and specification of parameterized data 
types, reported in [8,9] - it will be used as the current paper addresses the 
related issue of composing specifications. Section 2 ends with the presentation 
of a new, quantifier-free, sound and strongly complete logic for multialgebraic 
specifications. We thus obtain a general logic of multialgebras (in the sense of 
[11]). The central focus of the paper, however, is neither nondeterminism nor 
reasoning but, instead, the possibilities offered by MA to combine different al- 
gebraic specification formalisms in one framework (where the reasoning system 
can, of course, faciliate proving consequences of the combined specifications). 

Section 3 presents embeddings of institutions VA of partial algebras and 
A4SA4B of membership algebras into A4A. We do it by means of an example in 
which a T^A-specification Set and a AlfAlyB-specification Nat are embedded 
into A4A, the former is augmented with nondeterministic choice U, and then 
extended to a parameterized specification USet[El]; finally, the imported Nat 
specification is passed as an actual parameter. We thus illustrate the potential 
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of combining specifications from various algebraic formalisms in a unified frame- 
work. We also indicate in the concluding section 4 the possibility of extending 
the model class of VA (and A4EA4B) specifications with nondeterminism using 
institution transformations, [10], and refer to related work [7,6] on how this can 
be utilized for a smooth introduction of flexible error recovery strategies into 
7^^-specifications. 

For the reason of space limitations we have to assume the reader to be familiar 
not only with the general background on algebraic specifications and category 
theory, but also with the institutions and their mappings. We use the definitions 
and notation from [11]. 

2 The Institution of Multialgebras 

We summarize the relevant notions about multialgebras (see e.g., [21]; [6] con- 
tains the proofs concerning the institution of multialgebras). The algebraic sig- 
nature, S = (S, 17), and terms over S with variables from a set X, Ts,x, are 
defined in the usual way. A multialgebra for a signature S is an algebra where 
operations may be set-valued. 

Definition 1. A multialgehra A for S = (S, 17) is given by: 

— a set s^, the carrier set, for each sort symbol s € S 

— a subset G V{s^), for each constant, c:^ s 

— an operation : si^ x • • • x Sk^ V{s^) for each symbol u) : si x • • • x Sfe ^ 
s G 17, where V{s^) denotes the power set of s^. Composition of operations 
is defined by pointwise extension, i.e., f^{g^{x)) = Uy6g'4(a:) 

The disjoint union of the carrier set(s) of a multialgebra A is denoted by |A|. 
One sometimes demands that constants and operations are total [21,19], i.e. 
never return the empty set - we will not make this assumption. An operation 
is total if it returns nonempty result set for all arguments (a partial operation 
returns empty result set for some arguments). An operation returning not more 
than one value for any argument is deterministic (a nondeterministic operation 
returns more than one value for some arguments). So an operation that is total 
and deterministic is a function. 

We generalize earlier work by allowing not only the result sets of operations 
but also the carrier sets to be empty. Note that for a constant c G 17, denotes 
a (sub)set of the carrier s^. Thus constants can be used for unary predicates (as 
will be done in 3.3, when we relate membership algebras with multialgebras). 
We use weak homomorphisms of multialgebras (see [18] for alternatives). 

Definition 2. Given two S -multialgebras A and B, a (weak) homomorphism 
h : A ^ B is a set of functions hg : s^ ^ s^ for each sort s G S, such that: 

~ hs(c^) C c®, for each constant c s 

— hs{uj^{ai, . . . , a„)) C uj^{hs„ (oi)) • ■ • ) (««))> for each operation lo : si x 

• • • X s„ ^ s G 17 and for all Oi G sf. 
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The two definitions give us, for a signature E, the category of T'-multialgebras, 
MAlg^, with T'-multialgebras as objects and weak homomorphisms as arrows. 

Multialgebraic specifications are written using the atomic predicates of “de- 
terministic” equality and set inclusion. Since even atomic multialgebraic theories 
do not, in general, possess initial models, there seems to be little reason to re- 
strict the formulae to Horn clauses and so we allow general sequents. 

Definition 3. Given a signature E and a set of variables X, the set Ts ,x of 
well formed formulae is given by: 

1. Atoms: ift,t' x then: 

— t = t' € Ts,x (equality) - t and t' denote the same one-element set. 

— t ^ f € Es^x (inclusion) - the set t is included in the set t' . 

2. r ^ A G iFs,x, when F, A are finite (possibly empty) sets of atoms. 

Occasionally, we may write -’(f, where (j) is an atom, for () Notice that we 
do not (have to) attach the variable contexts to formulae - empty carriers are 
treated differently, mainly by a slight modification of the notion of assignment. 

Definition 4. Given a set of variables X and a multialgebra A, an assignment 
a is a function: 

a : A ^ |H| l±) {0}, where a(xs) = 0 s^ = 0 

The subscript at Xs indicates the sort of the variable, so that Xs is assigned 0 
iff the sort is empty. Otherwise variables are assigned individual elements - 
not sets thereof! (For convenience, we identify 1-element sets and individual el- 
ements.) Unlike the standard definitions, our definition guarantees the existence 
of an assignment even if the carrier |H| is empty. Then any term with variables 
from empty sort will be empty, since operations in multialgebra applied to the 
empty set yield the empty set. 

In the standard way, an assignment a to H induces a unique interpretation 
of any term t in A, denoted a{t). Now, satisfaction of formulae in A is defined 
first relatively to an assignment, written {A, a). 

Definition 5. The satisfaction relation \= in a multialgebra A is defined by: 

1. {A, a) \=t ^t' iff a{t) C a{t'); 

2. (H, a) \= t = f iff aft) = {e} = aft'), for some e G \A\; 

3. {A,a)^r^A iff (35gA: (H,a) (H,a) ^7); 

4 . A \= (j) iff Va : V ar{(j)) A : {A, a) |= (f>, where V arff) denotes all 
variables in <f> 

Putting all the definitions together, we obtain the institution A4A, [6]. It has 
the following property, which is used in defining the semantics of parameterized 
specifications: 

Proposition 1. The model functor Mod_A 4_4 : Sign°*’ ^ Cat is finitely contin- 
uous. 

Since Sign is (finitely) cocomplete, we obtain that XiA is an exact institution, 
[15]. Consequently, it satisfies the amalgamation lemma (for its formulation and 
proof the reader is referred to [17], where exact institutions are called institutions 
with composable signatures). 




Combining Specification Formalisms in the ‘General Logic’ of Multialgebras 331 



2.1 The Gentzen Proof System 

We give a quantifier free Gentzen style proof system Q for multialgebraic speci- 
fications. First a notational convention. 

Remark 1. According to point 2 in Definition 5, an equality may hold only if the 
carrier (of the respective sort) is non-empty. Given an algebra A, we have that: 

A\= Xs = Xs <1=^ yf 0 and A |= = a;*) <1=^ = 0 

Also, if = 0, we have for any terms A |= t* ^ and A ^ ^ 

We introduce logical symbols abbreviating the formulae stating that a carrier is 
empty or not. 

Definition 6. We define the symbols Sg = ~'{xg = Xg), for any Xg G Xg, and 
~^£g = Xg = Xg, for any Xg G Xg. By Remark 1, for any algebra A: 

A\= Sg <1=^ = 0 and A ^ ^£g yf 0 

The axioms and rules of the system Q are given below. Q allows us to derive se- 
quents from a set O of sequents. (We also allow £g as additional ground atomic 
formulae.) For deriving only multialgebraic tautologies, the system Q~ contain- 
ing only the logical axioms, the replacement and the expansion rules will suffice. 
For strong completeness, however, we need also the additional specific cut rules 
originating from [16]. Notice that these are much more tractable than the gen- 
eral cut, since they give a specific prescription as to what cut-formulae can be 
used in a bottom-up proof construction. These rules allow us to dispense with 
the quantifiers when proving consequences of axiomatic theories. (In [2], prov- 
ing (j) from a specification 0 required translation of the whole into a first-order 
formula, corresponding to V(0) — > 4>. Besides the translation work, it required 
the use of quantifiers and limited the result to finite 0 only.) On the other hand. 
Definition 4 of assignment and Remark 1 explain that quantifiers can be avoided 
also when dealing with empty carriers. Except for the presence of the atomic 
predicate =, these are the most significant improvements with respect to the 
closely related system from [2]. For the details concerning the system below, the 
reader is referred to [6]. 

Axioms 

f^x<x,A:xgx r, 7 — ^ 7 , a r,£a ^ tg ^ t'g, a 

Replacement rules 

r,x < t ^ A,x < t' r^A,x<t\r,x^t'^ A 

r ^ A, t -<t' r,t <t' ^ A 

t ^ X, and X G X is fresh t ^ X and x G X arbitrary 

r ^ A,y I r ^ A,x < f{...,y,...) F,y <t,x < f[. . . ,y,. . ^ A 
r ^ A,x < r,x < ^ A 

where y G X arbitrary and t ^ X where y G X is fresh and t ^ X 
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r ^ A,t = X \ r ^ A,t' = X 
r ^ A, t = t' 

t,t' ^ X and X £ X arbitrary 



r,ts = Xa,t's =Xa ^ A 

r,ts = t's^ A 

ts,t's ^ X and e X is fresh 



r ^ A, ts < Xs \ r ^ A, Xs <ts \ r,Es ^ A 

r ^ A,ts = Xa 

where Xa £ X and ta 7 ^ Xa 



r, ta ^ Xa,Xa ^ta ^ A, £a 
r,ta = Xa ^ A 

where Xa £ X and ta 7 ^ Xa 



r ^ A, ta <Xa I r ^ A,Xa <ta \ F,£a ^ A 
r ^ A,Xa = ta 
where Xa £ X and ta 7 ^ Xa 



r ^ta ^ Xa j Xa ^ ta ^ A , £a 
r,Xa = ta ^ A 

where Xa £ X and ta 7 ^ Xa 



Expansion rules 

r,y<f{z)^A 
r,y <x,x < f{z) A 
(sound for arbitrary x £ X) 



r,x ^ y —> A 
r,y ^ x ^ A 



r,z < f{...,y,...) ^ A 
r,y <x,z < f{...,x,...) ^ A 
(sound for arbitrary x £ X) 



r,y < z^ A 
r,y^x,x^z—> A 



r,£a,Xa> -< f{...,ya,...),£a' A 
r,£a,Xa' < f{...,ya,...) ^ A 



Specific cut rules (relative to the non-logical axioms &) 

r^A7( I ••• I r^A,y„ \ r,s[^ a \ ... \ a 

A 

for each axiom 'yi, ^ 5i, ... ,Sm £ O, with arbitrary renaming ' of variables 

Writing Q~ for the above system Q without the specific cut rules, we have: 
Proposition 2. The systems are sound and complete - for every sequent 4>: 

- 'rg- (j) ^ (j) 

— For every set of axioms 0 : 0 \~g 4> 0 \= 4>. 

3 Other Specification Frameworks in AdA. 

In this section we show the embeddings of two institutions - VA of partial alge- 
bras and XiSXiB of membership algebras - into XiA. By means of an example, 
we illustrate the power of M.A for reuse and combination of specifications written 
in other algebraic formalisms. We start by taking a P^-specification of sets and 
embed it to XiA in 3.1; in 3.2 we extend the resulting specification of sets with 
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a nondeterministic choice operation; in 3.3 we embed a Af£Afy8-specification of 
natural numbers to A4A; in 3.4 we extract a (sub)specification of elements from 
the specification of sets with nondeterministic choice, obtaining a parameterized 
specification, and we use the result of the embedding of naturals from M£MB as 
an actual parameter. Thus, we have combined VA and MSMB specifications 
in A4A, moreover we have extended the specifications with nondeterminism. 
Outline of the following example: 



Set-pyl^ 



institution 



embedding 



SetTn.4 



extension 



USetTK^ 

parameter ^ introduction 



instantiation 



EIaT.4 



•U Set [El] 



MA 



(institution 

T-TT NatTn.4 ' 

embedding 



USet[Nat] 



MA 



3.5 shows another way of including VA in A4A and compares it to the embed- 
ding. 



3.1 Partial Algebras and Multialgebras 

We recall the basics of the institution of partial algebras, VA (e.g., [3,4, 13]). 
Definition 7. A partial algebra A for a signature S = (S, 17) is given by: 

— A set for each sort s G S 

— A partial function x • • • x Sn^ , for each ut : si x • • • x s„ ^ 

s G 17 

Given two partial algebras A and B, a (weak) homomorphism h : A ^ B is a 
set of total functions hg '■ s^ ^ s^ , for each sort s G S such that: 

— hg{uj^{xi, . . .,Xn)) = LO^{hsixi), . . . , hs„{xn)) for each w : si x • • • x s„ ^ 
s G 17 and arguments X \^ . . . , Xn, whenever U!^{xi , . . . , Xn) is defined. 

A weak homomorphism h can be equivalently described as an ordinary homo- 
morphism such that for each operation w G 17 : /i(dom(w^)) C dom(o;'®), where 
dom identifies u’s definition domain in a given algebra A. 

Definition 8. Formulae are universally quantified Horn clauses over existential 
equations, t = t' . Satisfaction by a partial algebra A is defined as follows (let 
a X ^ \A\ range over standard assignments (total functions)): 

— {A, a) ]= {X]t = t') iff a{f) and a{t') are defined and aft) = a{t') 

— {A, a) j= (A; oi, . . . , a„ ^ a) iff 3i \ 1 < i < n \ {A, a) Oi or {A, a) \= a 

— A^iX-f) iff Ma-.X^ [A] : (A, a) h (7f; (>) 
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Embedding VA. into M.A. To relate multialgebras with partial algebras 
we observe the similarities between the element equality = and the existential 
equality =. In a multialgebra, the equality does not hold if one side is interpreted 
by a set with cardinality greater than one or by the empty set. The existential 
equality does not hold in a partial algebra if one side of the equality sign is 
undefined. These similarities suggest the straightforward translation: replace = 
by =. Each x in the variable context X in will give rise to an extra 

condition x = x in the antecedent of the translation oi <p ^ . 

On the semantic side, any i7-partial algebra can be trivially converted into a 
I7-multialgebra by making all undefined operations return the empty set. Since 
operations in multialgebra are strict on the empty set, the implicit strictness 
assumption from partial algebras will be enforced automatically. 

Definition 9. The functor j3~ : Mod-p^(T') ^ Mod^^(T') maps a partial al- 
gebra A to a multialgehra in the following way: 



- \P-{A)\ = \A\ 

— for all X € \(3~{A)\ and f G f2: /(t)^ 



{/(x)^} —if X G dom(/'^) 
0 —otherwise 



For a homomorphism: h G Mod(^(T', T)), we define (3~{h) = h. 

For a multialgehra M where all operations are either deterministic or return 
empty set, !3{M) denotes the corresponding partial algebra, i.e., = M. 

Saying that a multialgebra and a partial algebra are “essentially the same” , we 
will mean that they are obtained from each other by means of /?(-), resp. /?“(_). 

The embedding of VA into A4A is now obtained by augmenting the partial 
algebra specification with additional axioms forcing all operations to return ei- 
ther a unique element or the empty set. This is the underlying model in partial 
algebras which in the generalized context of A4^ need explicit axioms. For an 
operation f(x), the axiom forcing it to be empty or deterministic is of the form 
y = y,y ^ f{x) fix) = f{x), where y is a fresh variable. The example below 
shows the embedding of the 7^^-specification of sets (it is the constant {} which 
can be partial in this example). 



Set-p^ = 


SetTn.4 


— 




S : Set, El 


S : Set, 


El 




n-. {}: ^ Set 


12: {}: 


Set 




o : El X Set ^ Set 


o : 


El X Set ^ Set 




0:1. {x,y,S}] 


0 : 1. X 


= x,y = y,S = S 




X o i^y o S) = y o (x o S) 




X o (y o 


S) = y o (x o S) 


2. {x,^}; 


2. 


X = X, S = S 




X o (x o S) = X o S 




X o (x o S) = X o S 




3. 


y = y,y ^ xo S 


^xoS = xoS 




4. 


y = y,y-<{} 


-{} = {} 



^ For the use with the logic Q, we would instead add, to the consequent of the translated 
(j>, the disjunct 6a for each sort s for which there is a variable Xa G X. I.e., ({®s}, F 
a) would become F ^ a, 6a, rather than Xa = Xa,F ^ a. But we retain this later 
notation to emphasize that all translated formulae remain Horn clauses. 
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The following lemma shows that the axioms of the above form (e.g., 3., 4.) 
are sufficient - multialgebras satisfying such axioms are “essentially” partial 
algebras. 

Lemma 1. Let SP = (S,17, 6>) he a specifieation in A4A sueh that, for each 
operation f : s ^ s G : SP \= y = y,y f{x) f{x) = f{x), where 
y is distinct from all x. Then in any M G ModAr. 4 (<S'P) we have that for all 
X G \M\ ■. f{x)^ = % or f{x)^ is deterministic. 

Proof. Let M G Mod_A4_4(5'P) and a : {y,x} ^ M be an assignment. Two 
cases: 

1. (M, a) y = y. then the carrier set of s is empty so a{f{x))^ =0. 

2. (M,a) \= y = y: a (M,a) Y= f(x) = fix) then, since {M,a) \= y = y,y ^ 
f{x) f{x) = f{x), we must have that (M, a) Y= V ^ /(^)> i-®-, cr(/(x))^ = 

0 ._ 

(aifix))^ may be 0 also when some of x range over empty sorts, but this case is 
covered by point 2. Thus we do not need additional conditions x = x for x Gx.) 

□ 



The lemma and the above discussion lead to the main fact: 

Proposition 3. There is an embedding (U^,o;,/3) of institutions from VA to 
A4A; the embedding is a simple map. 

— The functor 4^ : Sign^^^ — > Thox .4 is given by: 4^(5', i7) = {{S,n),Os), 
where 0^ = {y = y,y ^ f{x) f{x) = f{x) : f G f2}. 

For morphisms is the identity. 

— The natural transformation a : Senp^ — > 4^; Sen ^_4 is given by: 

• a{t = t') = t = t' - auxiliary definition for atoms 

• a{{xi...Xk};ai...an ^ a) = xi = xi...Xk = Xfc, a(ai)...o;(a„) ^ a{a) 

4^ is extended to a functor 4^ : Thop _4 ^ ThoAr .4 by: ^iS,0) = (S,0s U 
asiO)). 

— The components of the natural transformation (3 : 4^°^; ModMA Mod-pA 
are (3’s from Definition 9, i.e.: 

. \fis{M')\ = \M'\ 

• fix ^ ^ fundefinedii f{xi,...,Xn)^' =ij) 

" \ a; such that /(xi, . . . , a;„)^ = {x} otherwise 

This is a well defined partial algebra by lemma 1. For a homomorphism: 
h G Mod^^(4^(T’, 6>)), we define Ps{h) = h. 

We also have an immediate consequence of the above construction: 

Proposition 4. For a VA theory {S,0), the functor (3{s,e) is an equivalence 
(in fact, an isomorphism) of categories Mod^_4(4^(27, 6?)) and Mod73_4(27, 0). 

Proof. The inverse functor e) sends a partial algebra P G Modpy^(If, 0) 
onto a multialgebra M' G Mod^^(Uf(27, 0)) such that f}(M') = P, i.e., it is (3~ 
from Definition 9. One verifies easily the isomorphism condition. □ 

As Mossakowski showed in [13], VA allows to specify exactly the finitely locally 
presentable categories [1], i.e. we have identified the sub-institution of M.A al- 
lowing to specify these classes of models. Given a partial algebra specification 
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SP, we call ^{SP) a multialgebra specification of partial form and denote this 
sub-institution AiAVA. As the finitely locally presentable categories have initial 
models, we have also obtained a sub-institution of A4A admitting such models. 



3.2 Extending Specifications with Nondeterminism 

In some cases it may be desirable to extend a specification with nondeterministic 
operations. A strategy for doing this is to embed the specification into A4A and 
then adding the nondeterministic operations. 

The obtained specification Set is extended with nondeterministic choice U. 



USet^^ = 
S : Set, El 



77: {}: 


^ Set 


o : 


El X Set ^ Set 


U : 


Set El 


0 -.1. X 


= x,y = y,S = S 


2. 


X = X, S = S 


3. 


y = y,y ^ X o S 


4. 


y = y,y-<{} 


5. 


z -< U(x o S) 



X o {jj o S) = y o {x o S) 
X o [x o S) = X o S 
X o S = X o S 
{} = {} 

z = x,z ^ Ll(S') 



El^ = {a, b, c} 
Set'^ = 

{}■" = { 0 } 

X S' = {4 u S' 

U^S = S 



A possible model A, shown on the right, has total and deterministic operations {} 
and o, while U({}) is undefined and U(S) for non-empty S is nondeterministic^. 



3.3 Membership Algebras and Multialgebras 

We now repeat the steps made for VA for the institution AiSAiB of membership 
algebras, [12]. We will use notation corresponding to the rest of the paper, which 
slightly differs from that used in [12]. 

Definition 10. A (membership) signature E is a quadruple E = {S, f2, 
where (S, f2) is a standard signature, II is a set of sub- sort predicate names, and 
TT is a function tt : 77 — > S. 

The function tt labels sub-sort predicate symbols by sort symbols - its intention 
is to identify a predicate p with Tr{p) = s as a sub-sort of sort s. 

Definition 11. A signature morphism between two membership signatures E = 
(S,17, 77, 7t) and E' = (S', 17', 77', tt') is a triple y = {p-n, I'n), where pn ■ 

n ^ n' and /is : S ^ S' are functions such that the following diagram 

^ One should be wary of the possible confusion in this example: the elements of the 
sort of defined sets Set obtain in A the interpretation as the actual, semantic sets 
of elements, except that is interpreted as a well defined element {0}. The latter 
must be distinguished from the 0 returned by the undefined operation □({})'''. 
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commutes, and there exists an u>' for each oj G such that: \ s ^ s) = 

J : ^s(s) ^ Ms(s). 

Definition 12. A membership algebra for a signature (S, 17, 77, tt) is given by: 

— a many sorted (S, 17) algebra A, together with 

~ an assignment of a subset C n{p)^ for each predicate name p G II . 

A membership algebra homomorphism h : A ^ B is an ordinary homomorphism 
which, in addition, satisfies: /i 7 r(p)(p"^) ffp^- 

Definition 13. The axioms used for specifying classes of membership algebras 
are universally quantified Horn clauses over atomic formulae: 

— equations, t = t' , 

— membership assertions of the form t : p, for p G H and t G (T'e,x)'w{p)- 

The assignments to variables are as usual, and the satisfaction is defined as 
follows: 

Definition 14. Let a : X ^ \A\ range over standard assignments. 

1. {A, a) '^{X\t = t') iff a{t) = a{t') 

2. {A, a) \= {X;t : p) iff a{t) G p^ 

3. {A, a) \= {X-,ai, . . . ,On ^ a) iff 3oi : {A, a) ^ (77; Oi) or {A, a) |= (X; a) 

I A^{X-,q,) iffya-.X^\A\-.{A,a)^{X-q:) 

It is shown in [12] that the above definitions yield a liberal institution of mem- 
bership algebras XiSXiB. Moreover there exists an embedding of institutions 
both ways between XiSXiB and the institution of many sorted Horn logic with 
predicates and equalities, i.e. these two institutions can be viewed as sub-logics 
of each other. 



Embedding M.SM.B into M.A.. is based on the fact that nondeterministic 
constants play the same role as unary predicates. Hence the membership relation 
t : p is naturally translated a,s t ^ p. Making, in addition, all operations deter- 
ministic, one obtains the straightforward translation of XiSAAB specifications 
into A4A, as shown in the example below: 
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ISlatMSMB = 


NatAiA = 


S : Nat 


S : Nat 


77 : ninai) = Nat 


17 : nat : —> Nat 


n{pos) = Nat 


pos : Nat 


Q : zero : ^ Nat 


zero : Nat 


sue : Nat Nat 


sue : Nat ^ Nat 


pred : Nat Nat 


pred : Nat ^ Nat 


0:1.0; zero : nat 


0 : 1. 


2. {x}; X : pos x : nat 


2. X = x,x < pos 


3. {x}; X : nat —> pred{suc{x)) = x 


3. x = x,x A nat —> 


4. {x}; X : pos pred{x) : nat 


4. X = x,x < pos 


5. {x}; X : nat —> suc(x) : pos 


5. x = x,x A nat 



6 . 

7. 

8 . 



zero -< not 
X -< nat 

pred{suc{x)) = x 
pred{x) -< nat 
suc{x) -< pos 
zero = zero 
suc(x) = suc(x) 
pred(x) = pred{x) 



Note that axioms 2., 3. and 4. could be written equivalently in A4A as pos -< nat; 
pred{pos) -< nat; and suc{nat) -< pos, i.e., using the syntax (and the intended, 
if not the formal, meaning) of unified algebras [14]. 

Proposition 5. There is an embedding (4>, a, (3) of institutions from M.EM.B 
to A4A; the embedding is a simple map of institutions. 



— The functor 4> : Sign^^^g ^ Th ^_4 is given by: 

4>(S,17, 77) is the theory (S, 17 l±) 77', ©i;), where: 

• n' = {p 7 t(p) : p e 77} - a new constant of sort tt{p) for each p G II. 

• Os = {w(x) = cofx) : to G 17} - determinacy axiom for each operation. 

To, Tn) is the signature morphism {pstTo ^ Pn) 

— The natural transformation a : Set\MSMB 4^: Sen^r^A is given by: 

• a{t : c) = t ^ c, for each atom t : c 

• a{t = t') = t = t' , for each atom t = t' 

• a({xi...a;fe}; ai...a„ ^ a) = x\ = xx...Xk = Xfc, a(ai)...a(a„) ^ a{a) 

4> is extended to 4> : ThoMSMB ThoAr^ by: 4>(77,6>) = ^{S) U as{0)). 

— The natural transformation jl : 4>°^; ModATA ^ ^oAmsmb is essentially the 
identity on models and homomorphisms. For any M' G ModArA('t ’(^7 0)) 

. \P{M')\ = \M'\ 

• f {xi, ... ,Xn)^^^ ^ = X such that f{xi, ... ,Xn)^ = 

, pP(M') ^ pM' 

For a homomorphism h : M' B' G ModArA('l^('S’, 6>)), we let (3{h) = h. 



Proposition 6. The functor j3(^s,e) is an equivalence (in fact, an isomorphism) 
of categories ModArA(4>(N', 6>)) and ModMA{Ai,0) for every M£MB theory 

{s,e). 

Proof. The inverse functor sends a membership algebra 717 G Mod(77, 0) 

onto a multialgebra 717' G Mod(4>(77, 0)) such that P(M') = 717 (i.e., jTVf'j = 
|717|, f^'(x) = {f^(x)} and for p G 77 : p^' = p^ .) One verifies easily the 
isomorphism condition. □ 
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3.4 Parameterized Specifications in A4.4. 



Parameterized specifications and, in particular, specifications of parameterized 
data types in A4A, based on a generalization of the traditional persistency re- 
quirement, has been described in [8] and is further studied in [9]. In [9] we also 
address the issue of refinement of specifications based on introduction of ad- 
ditional structure into the specified programs. In the current context, we only 
claim that extracting a parameter from a flat specification can be seen as a refine- 
ment. We thus view now the specification USet_A 4 ^ from 3.2 as a parameterized 
specification 

t : EIth^ ^ USet[El]^_4 (1) 

where the parameter specification El ^_4 is simply the sort -El. 

Let ^ : E1_a 4^ — > Nat ^_4 be the obvious specification morphism. In the stan- 
dard way, we obtain the result of this parameter instantiation, USet[Nat]^_ 4 , 
as the pushout in the category Th ^_4 of multialgebraic specifications: 



EI7W.4 



■U Set [El] 



MA 



Nat^r^ ■ 



USet[Nat] 



MA 



Proposition 1 ensures the existence of well-defined semantics for such parameter 
instantiation in M.A. For the parameterized specification (1), one can even find 
a persistent functor F : ModAr. 4 (El) ^ ModAr. 4 (LlSet[El]): 



EIAA) = El^ 


X S = {x} U S 


SefA) = -p/“(£;z^) 


uHA)s=s 



The model in 3.2 was obtained by applying this F to the algebra with \El\ = 
{a,b,c}. Using Proposition 1, the persistent functor for the instantiated specifi- 
cation i' : Nat^^ — > USet[Nat]^_^ can be obtained from F by amalgamation. 



3.5 Institution Transformation of VA into AAA 

AAA offers wider possibilities of reuse and combination than embeddings exem- 
plified so far. Instead of embedding other institutions, we can transform them 
into AAA. The transformation (proposed in [10] as one of the primitive operations 
for constructing various mappings of institutions) amounts, roughly, to extend- 
ing the model class - for VA it will be like the embedding from proposition 3 
but without adding the determinacy axioms: 
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Setp_4 
S : Set, El 

/?:{}: ^ Set 

o : El X Set Set 
0:1. {x,y,S}; 

X o (y o S) = y o [x o S) 
2. {x,S}; 

X o (x o S) = X o S 



Set'vH^ = 

S : Set, El 

!?:{}: ^ Set 

o : El X Set Set 
0:1. X = x,y = y, S = S 

X o (y o S) = y o (x o S) 
2. X = X, S = S 

xo(xoS) = xoS 



Embedding into MA allows one to augment existing operations with new, possi- 
bly nondeterministic ones, as was done in 3.2. Transforming, on the other hand, 
allows to extend the model class so that some old operations may acquire non- 
deterministic behavior. The resulting specification above has a larger 

model class than the transformed Set-p _4 -- not only multialgebras which are 
“essentially” partial algebras, where {} is undefined or deterministic, but also 
ones where it is nondeterministic. 



Proposition 7. There is an institution transformation (^,a, /3) ofVA to M.A. 



— The functor ^ : Sign ^_4 ^ Sign^_^ is identity on objects and morphisms. 

— The natural transformation a : Senp _4 ^ Sen ^_4 is as in Proposition 3: 

• aft = t') = t = t' for each atom t = t' , and 

• a{{xi,...,xk};ai,...,an ^ a) = xi = Xi,...,Xk = Xk,a{ai), ...,a{a„) 
a{a) 

— The components of the natural transformation f3~ : Mod-pA ^ ModMA 
are j3~ ’s from Definition 9, i.e.: 

. \f3^{P)\ = \P\ 



I 0 if (xi,...,Xn) ^ dom(/^) 
\ {f{xi, ..., Xn)^} otherwise 
For a homomorphism h € Mod73_4, we let P]j{h) = h. 



f{xi,...,Xnf^^^'> = 



In [7, 6] this transformation was used for a smooth introduction of error re- 
covery into specifications built in VA. Only operations which in the original 
^^-specifications might have been partial can now become nondeterministic 
and this was used to model partiality - interpreting undefinedness as indeter- 
minacy of the possible result. As the nondeterminism can be narrowed down 
during the development process, this provided simple means for introduction of 
error elements or other recovery strategies, including even exceptions. In this 
case, we would claim, A4A offers means for a unification of the two extremes 
in specification of partiality: the abstractness of PA, due to the assumption of 
strictness, needed in the initial stages of development and, on the other hand, 
the possibility for detailed error treatment offered by total algebra approaches 
and useful in the final stages of low-level design. 



4 Conclusion 

Although the parameterization mechanism applied in 3.4 is quite standard, there 
are two points to observe. For the first, it is used in the new context of A4A, 
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for which the relevant properties, in particular exactness, were verified. More 
importantly, the example from section 3 showed how to reuse (by embedding or 
transformation) and combine specifications developed in different frameworks. 
One should emphasize that this reuse is based on a rather straightforward trans- 
lation of the theories which, for the most, amounts to axiomatizing the additional 
properties of various frameworks in order to restrict the generality of the multial- 
gebraic semantics to the appropriate subset of models. As multialgebras extend 
in a conservative fashion many traditional algebraic frameworks, there is no need 
of coding or other complicated representation of the imported theories. Partial 
and membership algebras were chosen as an example, and a trivial embedding 
can be given of total algebras, but we expect that most algebraic specification 
formalisms can be fitted - and that also means: combined - within M.A. Except 
embedding, we have also shown another way of including institutions into A4A, 
exemplified by transformation of VA. With reference to earlier work [7, 6] , we 
suggested that this particular transformation offers a powerful way of combin- 
ing the advantages of partial algebra and total algebra approaches to partiality, 
providing additional means for specifying error recovery strategies like excep- 
tions. Details of embeddings, as well as other ways of relating/including various 
formalisms in A4A remain to be investigated. 

The paper presented also a new reasoning system for multialgebras. As com- 
pared to earlier ones it combines various aspects: it allows empty results as well 
as empty carriers, it addresses both inclusion and deterministic equality predi- 
cates, it is strongly complete and yet quantifier free. Each of the earlier systems, 
e.g. [5,2,20,19], was weaker than the present one at least at one of the above 
points. In [6] a related (and logically equivalent) Rasiowa-Sikorski style system is 
presented, which is amenable to implementation. With respect to the combina- 
tion of various specifications, it might be worthwhile to implement such a system 
in order to experiment with the common logical space for deriving consequences 
of the combination of specifications originating from different frameworks. 

Besides defining explicitly relations to other specification frameworks and 
developing methodologies for combination of different specifications, the problem 
which still remains open concerns finding the greatest possible (if such exists) 
liberal subinstitution of A4A - preferably, in form of verifiable restrictions on 
the syntax of specifications. 
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Abstract. With the advent of the e-Economy, system architectures need to take 
into account that Distribution and Mobility define a dimension that is not or- 
thogonal to the traditional two - coordination and computation. In this paper, we 
address the way that this additional dimension interferes with coordination. First, 
we address the effectiveness of connectors in place in a system when the prop- 
erties of the media through which its components can be effectively coordinated 
are taken into account. Then, we consider the modelling of coordination styles 
that are location-dependent or even involve the management of the location of 
the coordinated parties. 



1 Introduction 

Architecture-based approaches to the design and construction of software systems 
focus on the gross modularisation of systems as collections of interacting compo- 
nents. At the architecture level, the aspects related to distribution, such as the way the 
system is supposed to be mapped into a network, are not usually addressed. This con- 
forms with traditional forms of distributed systems that consider that the environment 
where a system executes — the physical nodes and links — is statically configured, 
the distribution of the system over these nodes is also static and that all forms of 
communication and access to resources can be provided (directly or indirectly) by the 
operating system or the middleware. 

With the advent of Mobile Computing in wide and ad-hoc networks, new forms of 
distributed systems come into play. In mobile computing systems, components are 
entitled to move across a network that is not necessarily statically determined. The 
network itself may be constituted by mobile nodes without a fixed infrastructure and, 
hence, their connectivity may change over time. In this situation, it is no longer rea- 
sonable to abstract away from component location and the properties of the physical 
distribution topology of locations and communication infrastructure. This is particu- 
larly true at the architectural level. For instance, in architectures that are structured in 
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terms of components and connectors [12], it is no longer possible to assume that the 
coordination mechanisms put in place through connectors can be made effective 
across the physical links that connect the hosts of the components in the underlying 
network. Another reason to address the distribution and mobility dimension of sys- 
tems at an architectural level is the fact that this third dimension (together with com- 
putation and coordination) is an additional source of complexity in system develop- 
ment and, hence, should be addressed at the highest possible level of abstraction. 
Therefore, concepts and techniques are needed to support the description of the as- 
pects related to distribution and mobility at the architectural level of software design. 

As a first step towards the more ambitious goal of having an architectural approach 
to distribution and mobility, we have been investigating the addition of this new di- 
mension to the architectural framework that we developed in the past [8]. In our first 
step in this direction [11], an extension of Community was proposed in order to sup- 
port the description of the distribution and mobility dimension of systems. This exten- 
sion was developed having in mind the goal of being able to represent distribution and 
mobility explicitly in architectures. In spite of its apparent simplicity, this goal com- 
prises many different aspects that result from the different ways computation, coordi- 
nation and mobility can interfere. For instance, in what concerns the interference 
between computation and mobility, we have already shown that patterns of distribu- 
tion and mobility of components, or groups of components, can be explicitly repre- 
sented in architectural descriptions through what we have called distribution connec- 
tors, similarly to the way coordination connectors represent component interactions. 

In this paper we will explore the interference between coordination and mobility, 
in particular the emergence of several new abstractions for program interaction such 
as transient interaction (e.g., transient variable sharing) [13] and code mobility (e.g., 
remote evaluation and mobile agents) [5]. We will show that these coordination con- 
structs, that facilitate component interactions in mobile systems, can be modelled as 
coordination connectors, and used in systems architectures together with the connec- 
tors that model traditional communication primitives such as asynchronous communi- 
cation and remote procedure call. We shall also address the impact on system archi- 
tecture of the properties of the locations in which components perform their computa- 
tions and the properties of the media through which their interconnections can be 
effectively coordinated. 

The paper is organised as follows. Section 2 briefly introduces the extension we 
have proposed for Community. It encompasses an extension of the program design 
language in order to support the design of components that have location-dependent 
patterns of computing, namely mobile components, an extension of the primitive 
mechanisms that support program interaction, and the definition of program composi- 
tion in this context. Then, in section 3, we shall illustrate how coordination mecha- 
nisms put in place through coordination connectors can become ineffective and need 
to be replaced with ones that are compatible with the connection topology among the 
components available at physical level. Then, section 4 shows how some of the new 
forms of coordination raised by mobility can be expressed as coordination connectors 
and used in systems architectures. Section 5 closes the paper with some conclusions. 
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2 The Community Framework 

Community, introduced in [6], is a parallel program design language that is similar to 
Unity [4] in its computational model but adopts a different coordination model. 
Community relies on the sharing (synchronisation) of actions and exchange of data 
through input and output channels and, moreover, it requires interactions between 
components to be made explicit. In Community, the separation between “computa- 
tion” and “coordination” is taken to an extreme in the sense that the definition of the 
individual components of a system is completely separated from the interconnections 
through which these components interact. 



Syntax 

Community was recently extended in order to support the design of the distribution 
and mobility dimension of systems [11]. It adopts an explicit representation of the 
space within which movement takes place, but no specific notion of space is assumed. 
This is achieved by considering that “space” is constituted by the set of possible val- 
ues of a special data type Loc included in a fixed data type specification over which 
components are designed. The data sort Loc models the positions of the space in a 
way that is considered to be adequate for the particular application domain in which 
the system is or will be embedded. The only requirement that we make is for a special 
location -±- to be distinguished (its role will be discussed further below). 

In order to model systems that are location-aware, we make explicit how system 
“constituents” (output and private channels, actions, or any group of these) are 
mapped to the positions of the space statically determined by Loc. This is achieved by 
associating each “constituent” of a system with a location variable. Mobility is then 
associated with the change of value of location variables. 

A Community design is defined in terms of input and output location variables 
(resp. denoted by 11, lO), input, ouput and private channels (resp. denoted by /, O and 
V) and a set of action names (F). 

Channels. Private channels model internal communication. Input channels are used 
for reading data from the environment of the component and the component has no 
control on the values that are made available there. Output channels allow the envi- 
ronment to read data produced by the component. Each channel v is typed with a sort 
sort(v). We shall use X to denote luOuV. 

Location Variables. Location variables (locations, for short) in a component de- 
sign can be declared as input or output in the same way as channels but are all typed 
with sort Loc. Input locations are read from the environment and cannot be modified 
by the component. Hence, if lell, the movement of any constituent located at / is 
under the control of the environment. Output locations can only be modified locally 
but can be read by the environment. Hence, if lelO, the movement of any constituent 
located at / is under the control of the component. 

Each local channel x of a design is associated with a location 1. We make this as- 
signment explicit by writing x@l. The value of / indicates the current position of the 
space where the values of x are made available. A modification in the value of I en- 
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tails the movement of x as well as of the other channels and actions located at that 
location variahle. 

Input channels are located at a special output location A whose value is invariant 
and given by -L. The intuition is that this location variable is a non-commitment to any 
particular location. The idea is that input channels will be assigned a location when 
connected with a specific output channel of some other component of the system. 
Every channel jc is associated with a set of locations A(x) which is {X} if jc is an input 
channel and is {l,X} in the case of an output channel x@l. We shall use L to denote the 
pointed set of locations (lIulO)x and local(X,L) to denote the union VuOulO of local 
channels and locations. 

Actions. Actions can be declared either as private or shared. Private actions repre- 
sent internal computations in the sense that their execution is uniquely under the con- 
trol of the component. Shared actions represent possible interactions between the 
component and the environment, meaning that their execution is also under the con- 
trol of the environment. As we will see, actions provide points of rendez-vous at 
which components can synchronise. 

Each action name g is associated with a set A(g) of locations including A, meaning 
that the execution of action g is distributed over those locations. In other words, the 
execution of g consists of the synchronous execution of a guarded command in each 
of these locations. Guarded commands are associated with located actions, i.e. pairs 
g@l s.t. IsA(g), as follows: 

g@l[D(g@l]: [G(g@l)^ R(g@lJ 

♦ D(g@l) is a subset of local(X,L) consisting of the local channels into which exe- 
cutions of the action can place values and of the locations to which the action can 
inflict movement. This is what is sometimes called the write frame of g@l. For 
simplicity, we will often omit the explicit reference to the write frame when 
D(g@l) can be inferred from the assignments. Given a local channel or location v, 
we will also denote by D(v) the set of located actions g@l such that veD(g@l). 
The fact that the special location A is invariant is ensured by the condition 
D(X)=0. We denote by F(g@l) the frame of g@l, i.e., the channels and locations 
that are in D(g@l) or used in G(g@l). 

♦ G(g@l) is the guard condition. 

♦ R(g@l) is a conditional multiple assignment on the local channels and locations 
declared in D(g@l). When the write frame D(g@l) is empty, R(g@l) is denoted by 
skip. 

When a design does not explicitly refer the guarded command associated with 
g@A, this is because it is the empty command [true skip]. Notice also that every 
standard Community design (location-unaware) defines trivially a distributed design: 
the one that has all its actions and channels located at A. 

Variations in the context of execution of a mobile system are not limited to the lo- 
cations of its components and respective hosts. It is important that other observables, 
s.a. network bandwidth, battery power or the communication range, can be used at the 
programming level. In Community, we have only a construct inrange. Loc-> bool that 
allows a program to observe if a given position of the space is in its communication 
range. 
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Semantics 

We assumed that the distribution space is constituted by the set of possible values of a 
given data sort Loc. We consider that, once we fix an algebra £/ for the data types, 
namely a domain Uloc for Loc, the relevant properties of the mobility space are cap- 
tured by two binary relations over Uloc'- 

• A relation bt s.t. n bt m means that n and m are positions in the space “in touch” 
with each other. Interactions among components can only take place when they 
are located in positions that are “in touch” with one another. Because the special 
location variable A intends to be a position to locate entities that can communicate 
with any other entity in a location-transparent manner, we require that the value of 
A is always set at configuration time as being ±u and, furthermore, ±jj bt m, for 
every ms Uloc- 

• A relation reach s.t. n reach m means that position n is reachable from m. Permis- 
sion to move a component or a group of components is conceded when the new 
position “is reachable” from the current one. 

In general, the topology of locations is dynamic and, hence, the operational se- 
mantics for a program is given in terms of an infinite sequence of relations 
{btt, reach, At each execution step, one of the actions that can be executed is cho- 
sen and executed. The conditions under which a distributed action g can be executed 
at time i are the following: 

1. for every li,l 2 sA(g), [IJ bt, ff]': the execution of g involves the synchronisation 
of its local actions and, hence, their locations have to be in touch. 

2. for every leA(g), g@l can be executed, i.e., 

i. for every xeF(g@l), [If bt, [A(x)f: the execution of g@l requires that every 
channel in the frame of g@l can be accessed and, hence, / has to be in touch 
with their locations. 

ii. for every location lieD(g@l) and me [R(g)f(f), m reach, [ff: if a location 
// can be effected by the execution of g@l, then every possible new value of 
// must be a position reachable from the current one. 

iii. the local guard G(g@l) evaluates to true 

where [ef denotes the value of the expression e at time i. In the case of expressions e 
involving inrange(exp), the value of [ef also depends on the location I where the 
expression is being evaluated and is defined by [If bt [expf. 

Given this, when, in an execution step, one of the actions whose enabling condition 
holds of the current state is selected, its assignments are executed atomically as a 
transaction. Furthermore, it is guaranteed that private actions that are infinitely often 
enabled are selected infinitely often. 

Interaction and Composition 

The primitive mechanisms that support component interaction in Community are the 
synchronisation of actions and the interconnection of input channels of a component 
with output channels of other components. The extension of the language with a dis- 
tribution dimension also entails the definition of mechanisms that support the interac- 
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tion of designs at the level of their locations. Such mechanisms are essentially the 
interconnection of input locations of a component with output locations of other com- 
ponents. 

In Community, interactions between components have to be made explicit and 
external to the components by providing the name bindings that express input/output 
communication and action synchronisation. This extemalisation of interactions can be 
expressed via the following notion of morphism: 

Given designs with channels Xj, actions Fj and locations Lj, a morphism G: P]^P2 
consists of a total function Gch: X 1^X2, a partial mapping Gac- F2^Fj and a total 
function Gic-' Lj^L2 that preserves the pointed element (X), satisfying: 

1 . for every xsXj and IsLi: 

a. sort2(Gch(x))=sorti(x) b. if xsout(Xj) (prv(Xj)) then G ch(x)sout(X2) 

(prv(X2» c. if xsin(Xi) then Gch(x)sout(X2)uin(X2) d. iflsoutloc(Lj) 

then Gic(l)soutloc(L2) e. GifAj(x))cA2(Gch(x)) 

2 . for every gsr2S.t. Gafg) is defined: 

a. if gssh(F 2) (prv(F 2)) then Gac(g)^sh(F ,) (prv(F ,)) 

b. G,c(Ai(Gac(g)))cA2(g) 

3 . for every x€local(Xj,Lj) and g@l2sD2(G(x)): 

<^ac(g) defined and b. GafgXfyh^Dfx) for some liSGic~fl2)G^Ai(Gac(g)) 

4 . for every g€F2S.t. Gafg) is defined and IsAfGafg)): 

a. G(D,(Gac(g)@l))cD2(g@Gifl)) 

b. 0hR2(g@Gic(l))=> G(R,(Gac(g)@l)) C. <PhG2(g@G,fl))z>G(Gi(Gac(g)@l) 
where h means validity in the first-order sense taken over the axiomatisation <P of the 
underlying data types (which includes the location space). Designs and morphisms 
constitute a category DSGN. 

This notion of morphism extends what in the literature on parallel program design 
is known as superposition [4,9,10] by taking the distribution aspects into account. A 
morphism g: Pi—^P2 identifies a way in which Pi is “augmented” to become P 2 S’O 
that it can be considered as having been obtained from P2 through the superposition of 
additional behaviour, namely the interconnection of one or more components. In 
other words, cr identifies P/ as a component of P 2 - 

The map Gch identifies for every channel of the component the corresponding 
channel of the system. The first group of constraints establish that sorts and types of 
channels have to be preserved but input channels of a component may become output 
channels of the system. 

The partial mapping Ggc identifies the action of the component that is involved in 
each action of the system, if ever. This mapping is partial and contravariant to account 
for the fact that, on the one hand, superposition may unfold actions of the original 
program and, on the other hand, new actions may be added. Condition 2. a states that 
the type of actions is preserved. 

The map Gic identifies for every location variable of the component the corre- 
sponding location variable of the system. As for channels, output locations are 
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mapped into output locations but input locations of a component may become output 
locations of the system as the result of interconnecting an input location of a compo- 
nent with an output location of another component. Conditions l.e and 2.b state that 
the locations of channels and actions are preserved. 

Conditions 3. a, 3.b and 4. a require that change within a component be completely 
encapsulated in the structure of actions defined for the component, namely they en- 
sure that the actions of a component leave the local channels and locations of the 
other components out of their scope. The last two conditions require that the compu- 
tations performed by the system reflect the interconnections established between its 
eomponents. Condition 4.b reflects the fact that the effects of the aetions of the com- 
ponents can only be preserved or made more deterministic in the system and condi- 
tion 4.C allows the guard of the action to be strengthened but not weakened. Strength- 
ening of the guard reflects the fact that all the components that participate in the exe- 
cution of a joint action have to give their permission for the action to occur. 

In the next sections several examples illustrate the way these morphisms can be 
used for establishing interconnections and the way diagrams in the category DSGN 
define systems configurations. The semantics of a system configuration is given by a 
categorical construction: the colimit of the underlying diagram. Taking the colimit of 
a diagram collapses the configuration into an object by internalising all the intercon- 
nections and distribution aspects, thus delivering a design for the system as a whole. 
Colimits in Community capture a generalised notion of parallel composition in which 
the designer makes explicit what interconnections are used between components: 

♦ Channels and loeations involved in each I/O-communication established by the 
configuration are amalgamated. 

• Every set {gi,...,g„} of actions that are synchronised is represented by a single 
action g;//...//g„ whose occurrence captures the joint execution of the actions in the 
set. The transformations performed by the joint action are distributed over the lo- 
cations of the synchronised actions. Each located action g///...//g«@/ is specified by 
the conjunction of the specifications of the local effects of each of the synchro- 
nised actions g, that is distributed over /, and the guards of joint actions are also 
obtained through the conjunction of the guards specified by the components. 



3 Effectiveness of Coordination Connectors 

In structural models of Software Architecture, i.e., models that share the view that 
system architectures are structured in terms of components and coordination connec- 
tors, the properties of the physical distribution topology of locations and communica- 
tion links are not usually taken into account. It is assumed that the physical links 
(“wires”) that enable communication between hosts in the underlying communication 
network are fixed and statically determined. Consequently, these models rely on the 
fact that the coordination mechanisms put in place through connectors can be made 
effective across the wires that link the components’ hosts. 

When mobility comes to play, for instance in contexts where physical mobility of 
computation hosts, such as laptops, exists, the wired or wireless physical links that 
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enable communication between hosts can change. Furthermore, the ability of a com- 
ponent to communicate with others is influenced by its location because of the barri- 
ers to communication that are erected in communication networks by system manag- 
ers. Finally, the communication network is also subject to frequent changes. 

In this section, we use an example of a client-server system to show that when the 
distribution aspects of systems are addressed at the architectural level, it is necessary 
to take into account the properties of the network communication infrastructure in 
order to understand whether the coordination connectors in place are effective or have 
to be replaced with ones that are compatible with the topology of distribution avail- 
able at physical level. 

For developing the example, we use the Community architectural framework. In 
particular, we shall made use of distribution connectors that were proposed in [11], 
through which the mechanisms that define the distribution topology of systems can be 
externalised and explicitly represented in system architectures. 

We consider a very simple client-server system. As usual in this kind of systems, 
the server exports a service that the client may request at some point in its execution. 
The service is the calculation of f(v,x) for a certain function f, where v is a resource 
local to the server and x is a value given by the client. 

In Community, clients and servers can be modelled as follows. 



design server is 
in x: T 

out r : T 

prv v: T' , lx: T, s: [0..2] 

do req: [s=0— »lx: =x||s : =1] 

[] serv: [s=l— »r :=f (v, lx) ||s : =2] 

[] ret: [s=2— »s:=0] 

[] chg: [true— »v:€T' ] 



design client is 
in res: T 

out val : T 

prv rq, inp: bool 

do req: [— irqA inp— >rq: =true|| 

inp:=false] 

[] read: [rq — > rq:=false] 

[] prv prod: [-linp— >inp:=true||val :e T] 



In server, it is modelled that a server repeatedly accepts requests, executes the 
service and returns the result. Moreover, its resource v may be updated at any time 
through the execution of action chg. In client, the typical behaviour of a client is mod- 
elled, ignoring for the moment the details of its internal computation: First, it pro- 
duces the data needed for the service, then it requests the service and, finally, it reads 
the result. 

It remains to describe the way the client and the server interact. There are several 
possibilities; we start by considering the exchange of messages through synchronous 
communication. In other words, the client and the server must synchronise first for the 
transmission of the request’s data and then again for the transmission of the result. 




In order to achieve this form of interaction, we have to make explicit the synchro- 
nisation of the actions req of client and server, the synchronisation of actions read of 
client and ret of server, and the I/O interconnection of the channels used for the 
transmission of the service’s parameter and result. Such interconnections can be de- 
scribed by the following diagram in the category DSGN, 
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coim 

res<— •— >i2 
req^*<— acl 
client read->««-ac2 



design sync 
in il,i2:T 
do acl : [true^skip] 
[] ac2 : [true^skip] 




where comm consists of two input variables to model the medium through which data 
is to be transmitted between the client and the server, and two shared actions for the 
two components to synchronise in order to transmit the data. Because names in 
Community are local, the identities of the shared input variables and the shared ac- 
tions in comm are not relevant: they are just placeholders for the projections to define 
the relevant bindings. Hence, we normally do not bother to give them explicit names, 
and represent them through the symbol •. 

This architectural description of the client-server system abstracts away how the 
system is supposed to be distributed on the nodes of a network (every design consid- 
ered so far is location-unaware) and takes for granted that the synchronous communi- 
cation between the client and the server can be made effective. This can be easily 
confirmed by analysing the design of the system as a whole, obtained by taking the 
colimit of its configuration diagram. Such design has, for instance, the joint action 

req I req: [— irqAinpAS=0 — >rq : =true||inp : =f alse|| lx : =val ||s : =1 ] 

that models the synchronous execution of actions req of client and server. This action 
is enabled provided that enabling conditions of both actions evaluate to true. Nothing 
else is required, even though the execution of req by server involves the reading of 
val, a resource local to the client. 

Let us now suppose that the server exists at a fixed location — hosts, which is a 
node in a subnet protected by a firewall. That is to say, there exists a filter node and 
every external communication with hosts has to pass through it. If the client exists in 
a node hostc that is not in this subnet, then it is not realistic to expect that the coordi- 
nation of the client and the server put in place through the connector Sync is effective. 
Such distribution aspects of the client-server system can be explicitly modelled as 
follows. 



dlst 

' N 



fixed (hostc) 



client@l 



dlst 
server®! 



fixed (hosts) 



where 



- fixed(hostc) and fixed(hosts) are instances of a parameterised design fixed(v:Loc) 
that consists of an output location named //that is constrained to be initialised at 
configuration time (i.e. when this component is included in the configuration of 
the system being built) with a value denoted by v. 

client@l (resp., server@l) denotes the design client (resp., server) augmented 
with an input location variable /, where every action and local channel of client 
(resp., server) is located. 
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In this way, it is specified that components client and server are bound statically to 
the network nodes identified by hostc and hosts, respectively. In what concerns the 
connector Sync, namely its glue, our design decision was to keep it location- 
transparent. This choice is justified by the fact that sync does not perform any com- 
putation but simply provides a pure coordination function just like an ideal, neutral 
“cable”. In the system architecture, this does not need to be specified because every 
constituent of a design is by default considered to be located at the distinguished lo- 
cation variable X. 

It is assumed that hosts, hostc anA filter are constants of type Loc. This data type in 
this case has no other requirements that to have these constants and the axioms 
hostsi^hostc, hostsfifilter, hostcfifilter, that ensure that the three hosts are actually 
different. 

By adopting a simple box-and-line notation, the architecture of the system can be 
represented as follows. 




Notice that, in this architecture, we achieved the envisaged separation between the 
individual software components of the system, the coordination connector through 
which they interact, and the mechanisms that are responsible for the distribution to- 
pology of the system. 

A design of the system as a whole, where all interconnections and distribution as- 
pects are internalised (obtained by taking the colimit of the underlying categorical 
diagram) is given by client-sync-server. This design exposes clearly the system de- 
pendence on the properties of the communication infrastructure that is available at 
physical levels, namely the links that connect hostc and hosts in the underlying net- 
work. 

design client-sync-server is 
outloc Ic, Is 
inv lc=chost a ls=shost 

out val01c, res01s: T 

prv rq01c, inp01c: bool, v01s: T' , lx01s: T, s01s: [0..2] 

do req|req01c: [-.rqAinp ^rq:=true||inp:=false] 

01s: [s=0 — »lx : =val||s : =1] 

[] serv01s : [s=l— »res :=f (v, lx) ||s : =2] 

[] read! ret01c: [rq— »rq:=false] 

[] 01s: [s=2^s:=0] 

[] prv prod01c: [-linp — »inp : =true||val :s T] 

[] chg01s : [true^v: £ T' ] 

In the situation described previously, hosts is in a subnet protected by a firewall 
and every external communication to hosts has to pass through filter node. This 
means that the current relation be in touch has the following property: 

for every ne Ui„c, if (hosts ^bt n) then n=±^or ne FW or n=filter^ 
where FlVcLioc represents the set of nodes of the subnet protected by the firewall. 
Given that hostc^eFlV, we have that —i(hostS/ybt hostc J and, hence, we may con- 
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elude that, in client-sync-server, once the client produces the data for the service, the 
issue of the request gets blocked and the system enters a deadlock. This clearly con- 
firms that the connector in place in the system is currently not effective and that a 
connector compatible with the current distribution topology has to be used instead. 
Moreover, it points out the importance of being able to make systems evolve through 
dynamic reconfiguration in response to changes in the topology of the network. 



4 New Patterns of Coordination 

In the context of the separation of computation and coordination supported by archi- 
tecture-based approaches, the distributed and mobile dimension of systems is also 
reflected on the kind of the coordination constructs that are appropriate and should be 
available for component interconnection. 

On the one hand, the advent of mobility calls for new abstractions for component 
interaction that facilitate systems design. The fact that components may move across a 
network of locations demands the adoption of coordination styles that are location- 
dependent. Transient interaction, for instance, is a form of interaction that is condi- 
tional on the relative positions of components. More precisely, interaction is limited 
to the situations in which the components are in the communication range of each 
other. 

On the other hand, the opportunities made available by technological developments 
have been explored and have led to new programming paradigms and new conceptual 
mechanisms for structuring systems. For instance, mobile code paradigms such as 
Remote Evaluation and Mobile Agents became very popular in the design of distrib- 
uted applications. As mentioned in [14], coordination no longer involves just commu- 
nication, it may also involve the management of the locations of the coordinated par- 
ties. 

Our aim in this section is to show, by means of examples, that at an architectural 
level of design, such new abstractions for coordination can be formally specified as 
connectors and used in systems architectures together with the connectors that model 
traditional coordination primitives. Furthermore, we shall also show how in situations 
in which coordination encompasses both communication and relocation, the design 
of these aspects can be carried out independently. 

When Coordination Is Location-dependent 

Transient variable sharing is a context-dependent pattern of interaction proposed in 
[13] as a variant of traditional variable sharing, which is suitable for mobile comput- 
ing systems that are subject to frequent disconnections. Roughly speaking, it is based 
on variable sharing limited to the situations in which the components are in the com- 
munication range of each other. 

In Community, read-only sharing of variables is supported through I/O intercon- 
nection of variables. For instance, the interconnection of an input variable y of design 
R with the output variable x of design W establishes that the value of y is read from x. 
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If, for instance, W is a mobile component, the reading of variable x is conditioned by 
the “connectivity” between W and R. The semantics defined for Community designs 
ensures that, when W is out of the range of communication of R, every action of R that 
needs to access the value ofy gets blocked. 

In read-only transient sharing, even while W is out of the range of communication 
of R the value of y can be accessed. Of course, in this situation there is no way to 
continue to guarantee that the value of y is given by v. Instead, the value of y is given 
by the value of v on disconnection. 

This form of transient sharing can be modelled through the binary coordination 
connector TranSh with roles writer and reader and the glue transh. 

design writer is design reader is 

inloc Iw inloc Ir 

out x01w: T in y: T 

do wr01w: [true^ x:gT] do read01r: [true^skip] 

The roles define the behaviour required of the components to which the connector 

can be applied. For a writer, we require an action that models every kind of possible 
operation on x. For a reader, we require an action that models the access to the input 
variable y. This is because it is essential to know in which location this action is exe- 
cuted. 

The glue ensures that updates to .x are propagated to y whenever the reader and the 
writer are in contact with each other. Whenever the communication between the two 
components is possible, transh prevents the writer from writing x before the previous 
change of x has been propagated to y. In the other situations, Ir is not in the range of 
Iw and, hence, y remains with the value of x at disconnection time. On re-connection, 
the value of x is sooner or later propagated to y. This is achieved through the execu- 
tion of the action auto that is private to transh and, hence, subject to fairness require- 
ments. 



comm comm 




writer design transh is reader 

inloc Iw, Ir 
in x: T 

out y01r:T 

prv chg01w:bool 

do write01w: [-ichg— »chg:=true] 

[] update01r: [chg— »y:=x||chg:=false] 

[] ignore01w: [-linrange (Ir) — »chg:=false] 

[] prv auto01r: [y?^x— »y:=x] 

Synchronous execution of actions is another form of communication available in 
many models of distributed systems that has also inspired a transient counterpart [13]. 
A simple form of transient synchronisation of an action a with an action b consists of 
requiring the two actions to be executed synchronously whenever they are located at 
connected hosts. When this is not the case, the two actions can be executed independ- 
ently. 

This form of transient synchronisation can be represented by a binary connector 
with two identical roles — comp. This design simply identifies the action subject to 
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the synchronisation. The glue of the connector ensures the synchronous execution of 
the two actions whenever they are located in locations in contact with each other and 
allows their independent execution in the other situations. 



conun comm 

1<— •— >la 

a,ab ab,b— >•<— ac 

design comp is design transync is 

inloc 1 inloc la, lb 

do ac01: [true^skip] do a01a: [— linrange (lb) ^skip] 
[] ab01a: [true^skip] 

01b: [true^skip] 

[] b01b: [— linrange (la) ^skip] 



esign comp is 
inloc 1 

do ac01: [true^skip] 



When Coordination reqnires Movement 



The fact that the location of components becomes a first-class design element also 
leads to new coordination patterns that explore the relocation of components, namely 
Remote Evaluation (RE) [15]. Like transient sharing and transient synchronisation, 
RE is a variant of a traditional style of interaction — Client-Server. 

Let us consider again the client-server system described in section 3. Recall that 
the server offers a fixed service — the calculation of a certain function f which de- 
pends on some resource v that is local to the server. The server holds the know-how 
needed to use the resource (the code that implements function j) as well as the re- 
source involved in the service (v). In RE, the server offers its resources but it is the 
client that holds the code that describes how to perform the service. The client needs 
to transmit the data and must provide the server with the code that implements the 
service. 

In this situation, the server simply has to be ready to cooperate with the client in 
the execution of the service. It receives the request and then it allows the use of its 
local resource, which can be locally changed at any time through the execution of 
action chg. We further consider that the server is bound to the same location for it 
whole life (see design re-server). 



design re-server is 

outloc 1 

out V01: T' 

prv S01 : [ 0 . . 1] 

do req01: [s=0— »s:=l] 

[] serv01: [s=l— »s:=0] 

[] chg01: [true^v:€T'] 



design knowhow is 
inloc 1 

in v: T' , val : T 

out res01: T 

prv lval01:T, t01: [0..3] 

do get_val01: [ t=0^1val : =val||t : =1] 

[] req01: [t=l^t:=2] 

[] serv01: [t=2— >res :=f ( v, Ival) ||t : =3] 
[] send_res01: [t=3^t:=0] 



The client in this case is slightly more complex because a part of it concerns the 
know-how needed to use the server’s resource and has to be relocated in order to 
achieve local interaction with the server. The simpler way of describing re-client is in 
terms of a configuration involving a traditional client bound to a fixed location and a 
design knowhow that encapsulates the portion of re-client that has to be moved. As 
modelled above, knowhow repeatedly gets the data needed for the execution of the 
service, requests the use of the server resource, uses the resource for the calculation of 
/ and returns the result. The configuration of re-client (see below) establishes that 
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knowhow and client exchange messages (service’s data and result) through synchro- 
nous communication. 



comm 

’ val<— •— 
res<— *^i2 
req^*<— acl 
read^*<— ac2 



client@lc 



design sync is 
in il,i2:T 
do acl: [true^skip] 
[] ac2: [true^skip] 



comm 

*^va 

i2<— •— >res 
acl^*^get_val 
ac2^*<— send res 



knowhow 



In RE, the coordination of re-client and re-server involves communication and 
code migration. It is necessary to describe the movement of the subcomponent 
knowhow of re-client that makes local interaction with the server possible and, once 
there, the kind of communication it is used. These two dimensions of coordination can 
be addressed and described separately. 




In what concerns communication, RE does not entail a particular form of commu- 
nication. Message passing through synchronous communication or remote procedure 
call are, for instance, possible choices. Hence, we use the connector Communication, 
which models a generic bi-directional communication protocol in the sense that the 
glue of this connector leaves completely unspecified the way in which messages are 
processed and transmitted. In this way, RE can be regarded as a parameterised entity 
that takes the communication protocol as a parameter (similar to higher-order con- 
nectors defined in [12]). 

The pattern of migration of RE can be defined separately by the connector Migra- 
tion below. 



comm comm 




s © 2 ?v com© 

re-client design migration is re-server 

inloc ls,lc 
outloc 1 

do go01:[true — »l:=ls] 

[] come01 : [truest : =lc] 



The glue carries out the relocation of knowhow in the server location as soon as it 
gets the data needed for the service. Once knowhow has terminated the use of the 
server resources, it returns to the client location. Then, the client may collect the re- 
sult. Notice that this corresponds to the synchronous execution of actions send_res at 
knowhow and read at client. At this point, these two actions are co-located (i.e., Ic 
and I have the same value) and hence the location-guards of send_res and read are 
both true. 

Finally, by putting together the glues of Migration and Communication (without 
any kind of interaction) as well as the underlying role connections, we obtain a de- 
scription of RE as a coordination connector. 
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5 Concluding Remarks 

In this paper, we have addressed the interference of distribution and mobility with 
coordination in the context of system architectures that are structured in terms of 
components and connectors. By adopting an architectural framework that was ex- 
tended in order to support the description of the distribution aspects of systems, we 
have shown how the effectiveness of connectors in place in a system may depend on 
the locations of the components that are being coordinated as well as on the properties 
of the wires through which the coordination has to take place. In this situation, it is 
essential that when connectors in place become ineffective, they can be replaced by 
different ones. Support for describing this kind of evolution can be conceived in terms 
of a dynamic reconfiguration language equipped with a set of observables including, 
for instance, the component locations and the network topology (many other relevant 
observables are identified in [3]). We plan to extend the reconfiguration language 
developed for Community architectures [17] in order to make systems evolve in 
reaction to these new sources of change. 

Furthermore, we have focused on new styles of coordination that rely on and use 
the distribution/mobility dimension of systems. We have considered situations in 
which the coordination patterns depend on the location of the coordinated parties or 
even determine their relocation. We have shown that these new forms of coordination, 
like the traditional ones, do not have to be programmed in the code of components. 
They can be externalised as first class entities and superposed over other components 
to regulate their behaviour or their location without intruding in the way they have 
been implemented. In fact, components will not even know that they are being regu- 
lated in the sense that the coordination is performed externally. 

The examples we have analyzed also suggest that in the situations in which com- 
munication, distribution and mobility, can be regarded as different dimensions of the 
coordination pattern, these dimensions can be addressed separately and then com- 
posed. This separation is important not only because it makes it easier to describe 
complex interaction patterns and promotes reuse, but also addresses the evolutionary 
dimension of systems. 

Not every language supports the separation of concerns just described. Commu- 
nity was developed precisely to illustrate how the separation between computation 
and coordination can be supported by Formal Description Techniques. Moreover, the 
extension with distribution and mobility (in contrast with a former extension pre- 
sented in [16]) was developed having in mind the support required for the extemali- 
sation of the mechanisms that are responsible for managing the distribution topology 
of systems. In [7], we have provided a mathematical characterisation of the language 
features that the separation of computation and coordination requires. Future work is 
going on to establish the corresponding extension taking into account distribution 
dimension. 

Acknowledgements. This work was partially supported through the IST-200 1-32747 
Project AGILE - Architectures for Mobility. 
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Abstract. We provide a semantic basis for heterogeneous specifications 
that not only involve different logics, but also different kinds of transla- 
tions between these. We show that Grothendieck institutions based on 
spans of (co)morphisms can serve as a unifying framework providing a 
simple but powerful semantics for heterogeneous specification. 



1 Introduction 

For the specification of large software systems, heterogeneous multi-logic speci- 
fications are needed, since complex problems have different aspects that are best 
specified in different logics. A combination of all the used logics would become 
too complex in many cases. Moreover, using heterogeneous specifications, differ- 
ent approaches being developed at different sites can be related, i.e. there is a 
formal interoperability among languages and tools. In many cases, specialized 
languages and tools have their strengths in particular aspects. Using hetero- 
geneous specification, these strengths can be combined with comparably small 
effort. 

The most prominent approach to heterogeneous specification is CafeOBJ 
with its cube of eight logics and twelve projections (formalized as institution 
morphisms) among them [13], and having a semantics based on Diaconescu’s 
notion of Grothendieck institution [12]. However, this approach has a limita- 
tion: only one type of translation between institution is used, namely institution 
morphisms. Tarlecki [47] is more general, he introduces a whole bunch of hetero- 
geneous constructs for different kinds of translations. However, only one kind of 
translation can be used at a time. The goal of the present work is to overcome 
these limitations while simultaneously staying as simple as possible. 

2 Institutions and Their (Co)Morphisms 

Following [21], we formalize logics as institutions. 

Definition 1. An institution / = (Sign'^, Sen^, Mod'^, [=^) consists of 

— a category Sign^ o/ signatures, 

— a functor Sen^: Sign'^ — > Set giving, for each signature S, the set of sen- 
tences Sen^(27), and for each signature morphism a\ S — s-A', the sentence 
translation map Sen^(cr): Sen'^(27) — > Sen^(27'), where often Sen'^(CT)((p) 
is written as cr((p), 
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— a functor Mod'll (Sign'^)°P — >CAT^ giving, for each signature E, the cate- 
gory o/models Mod^(Z'), and for each signature morphism a: E — > E' , the 
reduct functor Mod^(cr): Mod^(I7') — > Mod^(Z'), where often Mod^(cr) 
(M') is written as M'\„ (the a-reduct of M'), 

— a satisfaction relation C |Mod'^(if)| x Sen'^(if) for each E G Sign^, 

such that for each a: E — > E' in Sign^ the following satisfaction condition holds: 

hi:' ^ M'\o- hi: 

for each M' G Mod^(if') and (p G Sen^(If). □ 

The notion of institutions gains much of its importance by the fact that 
several languages for modularizing specifications have been developed in a com- 
pletely institution independent way [42, 16, 14,22, 15,34], one of which also has 
been extended to the heterogeneous case [47]. Most of their constructs can be 
translated into the formalism of development graphs introduced below, which 
hence can be seen as a core formalism for structured and heterogeneous theorem 
proving. For the language Casl, such a translation has been laid out explicitly 
in [4]. 

Definition 2. Given an arbitrary hut fixed institution I, a development graph 
over I is an acyclic directed graph S = {Af, L) . 

N is a set of nodes. Each node N G M is a tuple {E^ ,E^) such that E^ G 
Sign'^ is a signature and C Sen'^(T'^) is the set o/ local axioms of N . 

L is a set of directed links, so-called definition links, between elements ofAf. 
Each definition link from a node M to a node N is either 

— global (denoted M — N ), annotated with a signature morphism a : 
jjM ^ jjN ^ Signh or 

— hiding (denoted M — N ), annotated with a signature morphism a : 

G Sign'^ going against the direction of the link. Typically, a will 
be an inclusion, and the symbols of E^ not in E^ will be hidden. 

What is the meaning of such development graphs? Development graphs with- 
out hiding have a theory-level semantics, see [4]. For development graphs with 
hiding, a model-level semantics seems to be more appropriate: 

Definition 3. Given a node N G Af , its associated class Mod 5 (A^)^ of models 
(or N -models for short) consists of those E^ -models n for which 

— n satisfies the local axioms E^ , 

— for each K — N G S , n\a is a K -model, and 

— for each K — N G S, n has a a-expansion k (i.e. k\a = n) which is a 
K -model. 



^ CAT be the (quasi-)category of categories and functors. 

^ Mods is not to be confused with the model functor Mod of the institution. 
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Complementary to definition and hiding links, which define the theories of 
related nodes, we introduce the notion of a theorem link with the help of which we 
are able to postulate relations between different theories. Global theorem links^ 
(denoted by N — - ^ M , where a: — > S^) are the central data structure 

to represent proof obligations arising in formal developments. 

Definition 4. Let S he a development graph. S implies a global theorem link 

N — — ^ M (denoted 5|= N - — ^ M ), iff for all m G Mods(M), m\a G 
Mods(iV). 

We now come to the task of relating different institutions. Institution mor- 
phisms [21] relate two given institutions. A typical situation is that an institution 
morphism expresses the fact that a “larger” institution is built upon a “smaller” 
institution by projecting the “larger” institution onto the “smaller” one. 

Given institutions I and J, an institution morphism [21] p, = {<L, a, (3): I — > J 
consists of 

— a functor d>: Sign^ — > Sign'^, 

— a natural transformation a: Sen"^ o (L — >Sen^ and 

— a natural transformation ff. Mod^ — >Mod'^ o (p°P, 

such that the following satisfaction condition is satisfied for all S G Sign^, 
M G Mod'^(A) and G Sen-^(^>(A)): 

M ]=i; as(ff) ^ Ps{M) ‘p' 

The notion of institution morphism can be varied in several ways by changing 
the directions of the arrows or even, in the case of semi-morphisms, omitting the 
arrows [20,46]: 

morphism comorphism 

Sign ^ ^ Sign' 

Sen ^ ^ Sen' o (L 
Mod ^ ^ Mod' o <P 

forward morphism forward comorphism 

^ s- Sign' 

^ -e Sen' o <L> 

^ ^ Mod' o <]} 



Sign 

Sen 

Mod 



semi morphism 

Sign ^ 

Sen 

Mod ^ 



semi comorphism 

^ Sign' 

Sen' o (L 

-e Mod' o (p 



The respective satisfaction conditions are quite obvious (note that for semi- 
(co)morphisms, none is required). 



There are also local and hiding theorem links, which are omitted here for simplicity. 



3 
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Finally, each type of morphism also comes in a simple theoroidal variant [20], 
meaning that signatures may be mapped to theories. Following [26] , the category 
Th of theories has as objects theories, i.e. signatures plus sets of axioms. A theory 
morphism is a signature morphism mapping axioms to logical consequences. Let 
Sig: Th — > Sign be the functor forgetting axioms, and l: Sign — > Th denote 
the obvious inclusion, which is a right inverse to Sig. 

Again following [26], a theoroidal comorphism /i = (^, a,/?):/ — > J is said 
to be a subinstitution comorphism (and / is said to be a subinstitution of J) if 
is an embedding of categories, a is a pointwise injection, and /3 is a natural 
isomorphism. 

In the literature, a whole bunch of different types of translations has been 
used. The following table partitions them by some informal classification scheme 
(a “th” stands for the simple theoroidal case, “semi” denotes semi-morphisms, 
and an “x” stand for folklore knowledge or trivialities): 





(semi) 

morphism 


(theoroidal) 

comorphism 


(theoroidal) 

forward 

morphism 


forward 

comor- 

phism 


Inclusion 


[41] 


[2,26] 


X 


X 


Coding 


([41,1])" 


th [3,8,9,24] 
[25-28,31,33,45] 


th [5,48], 
([39,40,44])5 




Projection 


[2,41,13] 








Feature interaction 


[30] 


th 






Implementation 


semi [43,46,41] 


X 


[48] 





3 Heterogeneous Specification 

One typical scenario (cf. e.g. [19, 18]) of heterogeneity arises in the specification 
of reactive systems: some equational or first-order logic is used to specify the 
data (here, lists over arbitrary elements), some process algebra (here, CSP) is 
used to describe the system (here, a buffer implemented as a list), and some 
temporal logic is used to state fairness or eventuality properties that go beyond 
the expressiveness of the process algebra (here, we express the fairness property 
that the buffer cannot read infinitely often without writing). A corresponding 
heterogeneous specification (using the structuring constructs of Casl) is given 
in Fig. 1, the corresponding development graph in Fig. 2. Here, {List, Ax) is a 
specification of lists, Buf is the buffer process. List' is the signature resulting 
from the translation to CFOL^Ajih, and Fair is the fairness axiom. 

Actually, one should add that the process Buf does not meet the fairness 
constraint, since it can read infinitely often without ever writing. However, a 
simplistic buffer such as 

^ It is not entirely clear whether these should be really called encodings, since — unlike 
the other codings in this row — it is not clear that they are suitable for re-use of 
theorem provers. 

® Salibra and Scollo introduce a relaxed kind of forward morphism mapping models 
to sets of models. 
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logic CSP-CFOL= 
spec Buffer = 
data List 

channels read, write : Elem 
process let Buf(l : List[Elem]) = 

readlx Buf{eons{x, nil)) 

O if I = nil then STOP 

else write\last(l) Buf (rest{l)) 
in Buf {nil) 

with logic ^ CFOL=-LTL 
then %implies 

\/x ■. ds . in-any_case{x, always eventually labeLcond{y . fst{y) = write)) 

%% Roughly corresponds to AGE fst(label) = write in CTL* 

end 



Fig. 1. A sample heterogeneous specification. 



{List, Ax) € CFOL= 



{List, {Buf}) € Csp-CFOL= 

I 

I toLTL 

Y 

{List', {Fair}) e CFOL=-Ltl 



Fig. 2. An informal sample heterogeneous development graph. 



Copy = readlx writelx Copy 

satisfies the fairness constraint, and so does a buffer using bounded lists. 
We now briefly introduce several institutions involved: 



is many-sorted first-order logic with equality. Signatures consist of a set 
of sorts, a set of function symbols and a set of predicate symbols (each 
symbol coming with a string of argument sorts and, for function symbols, 
a result sort). Signature morphisms map the three components in a com- 
patible way. Models are first order structures, and sentences are the usual 
first-order sentences built from equations, predicate applications and logical 
connectives and quantifiers V, 3. Sentence translations and model reducts are 
quite straightforward. Satisfaction is defined inductively in the usual way. A 
detailed description of this institution can be found in [21]. 

CFOL^ adds new sentences, namely sort generation generation constraints, to 
FOL^. These express that a particular set of sorts is generated by terms 
built from a particular set of operations (and possibly variables valued with 
values from other sorts) . This allows specifying inductive datatypes like lists. 
Details can be found in the semantics of Casl [11,31]. Actually, CFOL"^ is 
a subinstitution of Casl. Casl additionally admits the use of subsorts and 
partiality, but we omit these here for simplicity. 
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CS¥-CF0L= (actually a subinstitution of Csp-Casl [36, 37]) combines CFOL"^ 
with the process algebra CSP. Signatures and signature morphisms are those 
from CFOL^, but restricted to signature morphisms that are injective on 
sorts. 

There are several notions of model for CSP-CFOL^ . We here choose the 
most informative one, based on labeled transition systems (LTS) [38]. Thus, 
models are CFOL^ -models, possibly equipped with an LTS being labeled 
in the disjoint union of all carriers. On the CFOL^-pa,rt, reducts are as in 
CFOL^ . If a model is not equipped with an LTS, neither is its reduct. If a 
model is equipped with an LTS, and the LTS is labeled only with labels from 
carriers of the CFOL^-reduct, it is quite straightforward to construe the 
LTS as an LTS for the CFOL^-reduct (injectivity of signature morphisms 
on sorts ensures that carrier sets are not doubled). Otherwise, the LTS is 
deleted. 

Sentences are either CFOL"^ sentences, or CSP process terms [23,38] in- 
volving CFOL^-terms in place of alphabet letters. Sentence translation is 
straightforward . 

Satisfaction for CFOL^ sentences is as in CFOL~. A CSP process term 
P is evaluated using the CFOL^-part a model M, leading to an LTS L 
with labels in the disjoint union of all carriers. Now M satisfies P iff M is 
equipped with L. Details can be found in [36,37]. 

CFOL^-Ltl (actually a subinstitution of Casl-Ltl [35]) combines CFOL~ 
with the computation tree logic CTL* [17]®. 

Signatures are CPOP^-signatures with 

— a distinguished set DS of dynamic sorts, 

— an injective assignment of label sorts Label-ds (outside DS) to dynamic 
sorts ds, such that 

— there exists a transition predicate __ : ds x Label jIs x ds for each 

dynamic sort ds. 

Signature morphisms are CPOP^-signature morphisms preserving the ex- 
tra structure on the nose (the latter is also called the dynamic part of the 
signature). 

Models and model reducts are inherited from CFOL^. The presence of the 
transition predicates means that each dynamic sort is interpreted as an LTS. 
Sentences are either first-order sentences, or CTL* formulae anchored by the 
elements of dynamic sorts. Satisfaction is that of CTL*. Details can be found 
in [35]. 

We will use the notation etc. to denote the individual compo- 

nents of these institutions. 

Among these institutions, we now introduce some morphisms and comor- 
phisms (cf. Fig. 3): 



Actually, the “LTL” in Casl-Ltl is a bit misleading. It does not stand for linear 
temporal logic, as one might expect, but for labeled transition logic. 
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Csp-CF’OL= 



CFOL= 



morphism: pr^ 



morphism: embed 



comorphism: toLTL 



CFOL^-Ltl 

Fig. 3. A (non-commutative) diagram of institutions an (co)morphisms. 



— A morphism pr: CSP-CFOL^ — > CFOL~. At the signature and sentence 
level, it is the obvious inclusion. For models, just the LTS (if present) is 
forgotten. 

— A theoroidal semi-comorphism toLTL: CsP-CFOL~ — > CFOL~-Ltl. A 
signature is extended by a dynamic sort ds, a label sort Label _ds and a 
transition predicate, and injection operations inj: s — >LabeldS for each sort 
s. These are axiomatized to be injective and to jointly generate Label-ds. 
Signature morphisms are just extended to map the extra structure on the 
nose in the obvious way. (Actually, the translation of signature morphisms 
is only defined for identity signature morphisms; hence we have a partial 
semi-comorphism only. We will not formalize this here, since Section 6 offers 
a simple solution.) 

A CFOL^-LTL-model is translated to a CsP-C'F’OL^-model by forgetting 
the interpretation of the dynamic part to get a CFOL^-model, and equip- 
ping it with the LTS determined by the interpretation of the transition re- 
lation. 

— A comorphism embed: CFOL~ — > CFOL~-Ltl. This is just the obvious 
subinstitution comorphism. 

This shows that practical examples may involve several types of translation 
between institutions. One might argue that one could try to modify the above 
introduced institutions in such a way that only one type of translation would be 
needed. However, the institutions are taken from the literature^, and it would 
require research effort (and in some cases tool development) in order to change 
them. 

4 The Bi-Grothendieck Institution 

How can we give a precise meaning to the development graph involving several 
kinds of translations between institutions in Fig. 2? 

^ In the case of Csp-CFOL^ , the present author has worked on the formalization as 
an institution [37], but not on the design [36]. There seems to be no alternative for- 
mulation of CSP-CFOL^ as an institution simplifying the above picture. Moreover, 
the problems to be solved when formalizing the quite popular language LOTOS [7] 
as an institution should be similar to those of CSP-CFOL^ . 




366 



T. Mossakowski 



Tarlecki’s [47] approach to heterogeneous specification is to introduce a new 
heterogeneous language construct for each of the various kinds of translations 
between institutions. This would correspond to adding new types of definition, 
hiding and theorem links for each of the translation kinds. However, it is unclear 
how several kinds of translations will interact, e.g. with respect to amalgamation 
and interpolation properties, which are important for structured proof systems 
[6,32]. 

Even if one does not use heterogeneous specifications simultaneously involv- 
ing different kinds of translations, a unifying framework is highly desirable in 
order not to have to switch to a different tool when considering a heterogeneous 
specification with a different type of translation. 

A good way to deal with these problems is to ffatten the graph of institutions 
and translations, as it is done with Diaconescu’s Grothendieck institution [12]. 
We here recall the Grothendieck institution for the comorphism-based case [29] : 

Definition 5. An indexed coinstitution is a functor X: Ind°^ — > Coins into the 
category Coins of institutions and institution comorphisms ^ . A discrete indexed 
coinstitution is one with Ind discrete. □ 

The basic idea of the Grothendieck institution is that all signatures of all 
institutions are put side by side, and a signature morphism in this large realm 
of signatures consists of an intra-institution signature morphism plus an inter- 
institution translation (along some institution comorphism). The other compo- 
nents are then defined in a straightforward way. 

Definition 6. Given an indexed coinstitution I: Ind°^ — > Coins, define the 
Grothendieck institution X"^ as follows: 

— signatures in are pairs {S,i), where i G \Ind\ and S a signature in the 
institution X{i), 

— signature morphisms (ct, e): (Ai, t) — >{S 2 ,j) consist of a morphism e:j — > 

i G Ind and a signature morphism cr: — > E 2 (here, X{e):X{i ) — > 

X{j) is the institution comorphism corresponding to the arrow e:j — >i in 
the indexed coinstitution, and <lXG) jg jfg signature translation component), 

— the (E,i) -sentences are the E-sentences in X{i), and sentence translation 
along {a, e) is the composition of sentence translation along a with sentence 
translation along X{e), 

— the {E ,i)-models are the E-models inX{i), and model reduction along (cr,e) 
is the composition of model translation along X{e) with model reduction along 
a, and 

— satisfaction w.r.t. (E,i) is satisfaction w.r.t. E inX{i). □ 



Indeed, the name is justified by the fact that the category of institutions and insti- 
tution comorphisms is isomorphic to the category of coinstitutions and coinstitution 
morphisms. A coinstitution is an institution with model translations covariant to 
signature morphisms, while sentence translations are contravariant. 
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A Grothendieck institution for an indexed institution X\ Ind°P — >Ins can be 
defined similarly [12] , it will also be denoted by . By contrast, the Grothendieck 

construction does not obviously generalize to diagrams consisting of forward or 
semi (co)morphisms, because of the lacking (contravariance between model and) 
sentence translation. Let us therefore for a moment concentrate on morphisms 
and comorphisms only. 

We consider heterogeneous specification over a set of institutions, a set of 
morphisms and a set of comorphisms. This is formalized as an indexed institu- 
tion Xjn (collecting the morphisms) together with an indexed coinstitution Xc 
(collecting the comorphisms) , both with the same underlying set of institutions, 
regarded as a discrete indexed institution Xq. 

Definition 7. Let (Xm,Xc,Xo), with Tm an indexed institution, Xc an indexed 
coinstitution and Xq a discrete indexed institution be given, such that \Indm\ = 
\Indc\ = \Indc\, and Jm, Xc and Xq agree on these. 

Then we form the Grothendieck institutions Xf , Xff and Xf . Since Xf obvi- 
ously is included in X^ and Xf via a (co )morphism, we can take the pushout 

J# j# 

-''0 m 

-J 

in the category of institutions and institution morphisms ( or comorphisms, this 
would make no difference here). The pushout in either category exists by results 
of [20]. By abuse of notation, we will denote the pushout J by (Xm,Xc)"^. It will 
be called the Bi-Grothendieck institution. 

The heterogeneous development graph in Fig. 2 can now formally be under- 
stood as a development graph over the Bi-Grothendieck institution. 

5 Inducibility 

The Bi-Grothendieck institution is quite complex, and it is not immediately clear 
how to obtain e.g. proof support for it. It is therefore tempting to try to reduce 
the complexity of this construction by mapping morphisms to comorphisms or 
vice versa. This can be done by weakening the adjunction between morphisms 
and comorphisms introduced in [2]: 

Definition 8. Given an institution comorphism p = {<T, a, (3): I — > J , a functor 
T: Sign"^ — > Sign'^ and a natural transformation e:<l> oT — > Id, we say that p 
e-induces the institution morphism p = (<F, d,/3): J — >I given by 

a = (Sen"^ ■ e) o (a ■ T) 

P={P- T°P) o (Mod"' • e°P) 

A morphism that is e-induced by some comorphism is called inducible. 
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Dually, given an institution morphism p, = (W,a, (3): J — > I, a functor 
<P: Sign^ — > Sign"^ and a natural transformation rj: Id — > 'F o <P, we say that p. 
77 -induces the institution comorphism p= {<P,a,P):I — >J given by 

a = {a ■ <P) o (Sen'^ • rj) 

[3 = (Mod'^ • rj°'P) o {a ■ <I>) 

A comorphism that is rj-induced by some morphism is called inducible. Moreover, 
it is straightforward to extend inducibility to the simple theoroidal case. Here, 

Sign^ — — ^ Sign"^ has to be replaced with Sign — ^ Sign‘d, lead- 
ing to the equations 

a= {a ■ Sig ■ I>) o (Sen'^ • 77) 

(3 = (Mod^ • T)°P) o 0 ■ Sig ■ I>) 

Furthermore, inducibility also extend to semi-(co)morphisms. □ 

With this, we can easily obtain the desired reduction: 

Theorem 9. Let {2rn,^c,^o) in Definition 7 be given. 

If each morphism in Im is e-induced by some comorphism in Ic, then there 
is a retraction of onto Tf. 

Dually, if each comorphism in Xc is rj-induced by some morphism in Im, then 
there is a retraction of (X^iXc)"^ onto if,. 

Proof. Consider the pushout construction in Definition 7. Clearly, if, if and 
if all have the same object class. Moreover, since Xq is discrete, the signature 
morphisms in if are basically those of the individual institutions. With this, it 
is easy to see that the signature morphisms in {Im,lc0^ are paths of morphisms 
coming from if and If in an alternating way. 

The retraction of ifLm,I<ff^ onto if (having the obvious inclusion as right 
inverse) is therefore given by the identity for the objects, while for a path of 
alternating morphisms, each morphism 

from if is replaced with 

( , J i ), 

where e is the index of the comorphism inducing Im(d), and e: the corresponding 
natural transformation. Since all the resulting morphisms live in if , they can 
be composed to a single morphism. 

The other statement follows by a dual argument. □ 

However, unfortunately there are practically relevant situations where this is 
not applicable. 
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Proposition 10. Neither the morphism pr: CsP-CFOL~ — > CFOL~ nor the 
theoroidal semi- comorphism toLTL: CSP-CFOL^ — >CFOL^-Ltl is inducible. 

Proof. Assume that pr = {F, a, P): CSP-CFOL"^ — > CFOL"^ is £-induced by 
a comorphism p = {<P,a, P): CFOL'^ — > CSP-CFOL^ . Let Fi consist of a 
sort s and S 2 of sorts t and u (both seen as CsP-CJ^OL^-signatures). Let 
(j-.F{E 2 ) — >F{Si) map both t and u to s (recall that F is just an inclusion). 
Now ps2 just forgets the optional LTS component, and hence is surjective. Since 
Ps 2 = P'l'is-i) ° P^{S 2 ) i® surjective as well. Since all signature morphisms 

in CSP-CFOL^ are injective (and carriers are assumed to be non-empty), the 
corresponding reduct functors are easily seen to be surjective. Hence, the lower 
right path in the naturality diagram for /? 

-|<t 

{F{F{E2))) ^ (F{F2)) 

is surjective as well. Hence, also the upper left path must be surjective, and 
hence its second component -\a- But _|cr just doubles the carrier set, and this is 
clearly not surjective. 

The semi-comorphism toLT L is more precisely defined on the subinstitution 
CsP-CFOL^-d consisting of identity signature morphisms only, i.e. toLTL = 
(<?,/?): CsP-CFOL^-d — >CFOL^-Ltl. Assume that it is 77 -induced by a semi- 
morphism pL = (F,p): CFOL^-Ltl — >CsP-CFOL^-d. Since all signature mor- 
phisms in CsP-CFOL^-d are identities, rj is the identity as well. Hence, p-<P = /3, 
and one easily obtains a contradiction to the /3-naturality diagram for a signature 
morphism a:<P{Si) — > <P{S 2 ) in CFOL^-Ltl. This proof relies on the severe 
restriction of the CsP-CFOL=-d signature morphisms; however, also a proof not 
exploiting this is possible. □ 

6 Spans of Comorphisms 

The method of the previous section to use inducibility to reduce the complexity 
of heterogeneous specifications involving different kinds of translations between 
institutions works for some cases, but the counterexamples of Proposition 10 
have shown that the method is not general enough. 

A more general idea is to express all the different kinds of translations as 
spans of morphisms or of comorphisms. The question is now whether to work 
with morphisms or with comorphisms. Indeed, comorphisms interact with amal- 
gamation properties in a much simpler way than morphisms do, see Proposi- 
tions 3.5 and 3.6 of [29]. Amalgamation properties are important in many re- 
spects, e.g. for heterogeneous theorem proving [29]. Therefore, we work with 
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spans of comorphisms. Nevertheless, the results presented below easily dualize 
to spans of morphisms. 

1r 

Each institution morphism /r: / — > J = I -< J can be translated 

/3 



into a span / ^ J ^ J of institution comorphisms as follows: 



Sign^ ^ Sign'^ 

Sen'^ o ip — ^ Sen"^ o ip 

Mod^ oip ^ Mod"' o If 

Here, the “middle” institution J o if is the institution with signature category 
inherited from J, but sentences and models inherited from J via !f . 

This span construction can also be lifted to the indexed level: Given an 
indexed institution Tm and an indexed coinstitution Tc (both over the same 
set of institutions in the sense of Definition 7), form an indexed coinstitution 
Span{Xrn,^c) as follows: the index category is obtained by freely adding pairs of 
formal morphisms to the index category of more precisely, one pair (obtained 
in a straightforward way) for each span of comorphisms corresponding to a 
morphism in X^- 

Unfortunately, we cannot expect that Theorem 9 carries over to the present 
situation. But we have some weaker property that still is sufficiently strong for 
practical needs: 

Theorem 11. Given an indexed institution Xm and an indexed coinstitution 
Xc (both over the same set of institutions in the sense of Definition 1), then 
each development graph over the Bi-Grothendieck institution {Xm,Xc)'^ can be 
translated into a development graph over the Grothendieck institution over the 
span-based indexed coinstitution Span{Xm,Xc)'^ , such that model categories are 
preserved. 

Proof. As in the proof of Theorem 9, we rely on the fact that signature mor- 
phisms in the Bi-Grothendieck institution (Xm,2c)^ are paths of morphisms 
coming from Xff and Xf in an alternating way. A global definition link therefore 
has the form 

((<Ti,ei),((T2,d2),...,(o-„,e„)) 

M ^ N , 

where the di are from Xm and the Ci are from Xc (with (cti, ei), (cr„, e„) possibly 
not present). The definition link now is replaced by a sequence of definition and 
hiding links: 



Sign^ 

Sen^ 

Mod^ 



M ^ Ml s- M2 — — 



■) Ud4+) 

^ M3 ^ V M4 



(cTn,e„) 



N 



Here, ^2 dj are the indices for the span of comorphisms associated to 
Xm{d 2 ), and Mi, . . . , M 4 are new nodes with appropriate signatures and no local 
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axioms. Of course, the path could also start and/or end with a di instead of an Cj, 
but this won’t affect the general construction: each path element containing a di 
leads to a sequence of a definition link, a hiding link, and again a definition link, 
while path elements containing an Cj are just kept. The construction for theorem 
links is entirely analogous, except that only the last arrow in the sequence has 
to be a theorem link — the other ones must be definition links. 

Let us now come to hiding links. The construction is very similar, so we 
restrict ourselves to the replacement of individual path elements of form (ai, di). 
Such an element leads to 



(id,d+) (id,d-) (at, id) 

M„ l ^ M„+2 M„+3 ■ 



In comparison to the construction above, here the arrows are reversed, and 
definition and hiding links interchanged. 

It is straightforward to see that the model class is left unchanged by these 
translations. 

□ 



Consider now a semi morphism / 



<7. It can be translated into 



a span of comorphisms 



Sign 

Sen^ 



Sign^ 



incl 



incl 



Sign'^ 
Sen"^ o If" 



Mod' 



Mod"^ o W 



id 



Mod"^ o If" 



4> 

while a semi-comorphism / J is translated into a span of co- 

P 

morphisms 

Sign^ ^ Sign'^ 

0 — ^ Sen"' o <P 

Mod' ^ Mod-'o^) 

With this, we also can give a semantics to definition, hiding and theorem links 
involving semi-(co)morphisms. Partial (semi-) comorphisms and a restricted class 
of forward (co)morphisms can be covered as well. 

Example 12. Extend the institutions and (co)morphisms introduced in Section 3 
by the following ones: 

— CFOL^-inj is the restriction of CFOL^ to signature that are injective on 
sorts. 



Sign 

Sen' 

Mod' 



incl 
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— CSP-C FOL^^-d-nosen is the restriction of CsP-CFOL= to the empty set of 
sentences, for each signature, and to identity signature morphisms. 

— The comorphism pr~: CFOL~-inj — >CFOL"^ is just the obvious subinsti- 
tution inclusion. 

— The comorphism pr~^: CFOL^-inj — > CSP-CFOL^ behaves very similar to 
pr: At the signature level, it is the identity, at the sentence level, it is the 
obvious inclusion. For models, just the LTS (if present) is forgotten. 

When applying the construction of Theorem 11 to (a formalized variant of) the 
development graph given in Fig. 2, we arrive at the development graph shown 
in Fig. 4 (for simplicity, we index the involved institutions and comorphisms by 
themselves here). 



{{List,CFOL=-inj),0) 




{{List, Csp-CFOL^-d-nosen, 0) 



^ ^ Jid,toLTL+) 

{{List', CFOL=-Ltl), {Fair}) 

Fig. 4. The sample heterogeneous development graph with spans of comorphisms. 



7 Conclusion 

We have presented an example heterogeneous specification involving different 
kinds of translations between the involved institution. We have discussed several 
ways of giving a semantics to such specifications. The most promising way has 
turned out to use indexed coinstitutions and their Grothendieck construction 
as a semantical foundation for heterogeneous specification, and express other 
types of translation by spans of comorphisms. Of course, the dual view (followed 
by CafeOBJ), which takes morphism-based Grothendieck institutions as foun- 
dation [12], also can be combined with the span approach. However, as shown 
in [29], the comorphism-based Grothendieck construction interacts more nicely 
with amalgamation. Hence, we stick to comorphisms here. 

Our approach also implies that we can exploit techniques such as heteroge- 
neous borrowing [30] and the heterogeneous proof calculus [29] , which are based 
on comorphisms only, in a much wider context. Tool support for heterogeneous 
specifications and development graphs is under development in form of the het- 
erogeneous tool set (hets) . The latter provides an abstract programming interface 
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for the implementable part of institutions and comorphisms. This will serve as 
a basis for implementing heterogeneous analysis and proof tools that are based 
on corresponding tools for the individual logics. 
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Abstract. We introduce CoCasl as a simple coalgebraic extension of 
the algebraic specification language Casl. CoCasl allows the nested 
combination of algebraic datatypes and coalgebraic process types. We 
show that the well-known coalgebraic modal logic can be expressed in 
CoCasl. We present sufficient criteria for the existence of cofree models, 
also for several variants of nested cofree and free specihcations. Moreover, 
we describe an extension of the existing proof support for Casl (in the 
shape of an encoding into higher-order logic) to CoCasl. 



In recent years, coalgebra has emerged as a convenient and suitably general way 
of modeling the reactive behaviour of systems [26] . While algebraic specification 
deals with inductive datatypes generated by constructors, coalgebraic specifica- 
tion deals with coinductive process types that are observable by selectors. An 
important role is played here by final coalgebras, which are complete sets of 
possibly infinite behaviours, such as streams or even the real numbers. 

For algebraic specification, the Common Algebraic Specification Language 
Casl [20] has been designed as a unifying standard, while for the much younger 
field of coalgebraic specification there is still a divergence of notions and nota- 
tions. The idea pursued here is to obtain a fruitful synergy by extending Casl 
with coalgebraic constructs that dualize (in the sense of e.g. [5]) the algebraic 
constructs already present in Casl. 

In more detail, CoCasl provides a basic co-type construct, cogeneratedness 
constraints, and structured cofree specifications; moreover, coalgebraic modal 
logic is introduced as syntactical sugar. Co-types serve to describe reactive pro- 
cesses, equipped with observer operations whose role is dual to that of the con- 
structors of a datatype. Cotypes can be qualified as being cogenerated or cofree, 
respectively, thus imposing full abstractness and realization of all observable 
behaviours, respectively. The most powerful construct are cofree specifications, 
which allow specifying final models of arbitrary specifications. Of course, this 
raises the question for what kinds of specifications such final models actually ex- 
ist. We provide a sufficient existence condition which covers specifications that 
employ initially specified datatypes in observer functions and restrict behaviours 
by modal formulas. For such cases, we also lay out how the existing proof sup- 
port for Casl, realized by means of an encoding into Isabelle/HOL [16], can be 
extended to CoCasl. In summary, CoCasl is a syntactically and semantically 
simple extension of Casl that allows a straightforward treatment of reactive 
behaviour. 
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1 Casl 



The specification language Casl {Common Algebraic Specification Language) 
has been designed by CoFI, the international Common Framework Initiative 
for Algebraic Specification and Development [20]. Its features include first-order 
logic, partial functions, subsorts, sort generation constraints, and structured and 
architectural specifications. For the language definition and a full formal seman- 
tics cf. [20]. An important point here is that the semantics of structured and 
architectural specifications is independent of the logic employed for basic spec- 
ifications, so that the language is easily adapted to the extension of the logic 
envisaged here. That said, CoCasl does introduce one additional structuring 
concept, namely, cofree specifications. 

We now briefly recall the many-sorted Casl institution; subsorting is then 
defined on top of this. Full details can be found in [20, 17]. A Casl signature con- 
sists of a set of sorts, two sets of (total and partial) function symbols, and a set 
of predicate symbols (each symbol coming with a string of argument sorts and, 
for function symbols, a result sort). Signature morphisms map the four compo- 
nents in a compatible way. Models are many-sorted partial first order structures. 
Homomorphisms are so-called weak homomorphisms. That is, they are total as 
functions, and they preserve (but not necessarily reflect) the definedness of par- 
tial functions and the satisfaction of predicates. 

Over such a signature, sentences are built from atomic sentence using the 
usual features of first order logic. Here, an atomic sentence is either a definedness 
assertion, a strong equation, an existence equation, or a predicate application; 
see [20] for details. There is an additional type of sentence that goes beyond 
first-order logic: a sort generation constraint states that a given set of sorts is 
generated by a given set of functions, i.e. that all the values of the generated 
sorts are reachable by some term in the function symbols, possibly containing 
variables of other sorts. 

The Casl language is defined on top of this institution, offering a richer and 
more convenient syntax than the plain Casl institution. For instance, it provides 
powerful constructs for defining datatypes, which are briefly recalled below, in 
direct comparison to the corresponding CoCasl constructs. 



2 Type and Cotype Definitions 

The basic Casl construct for type definitions is the types construct. It declares 
constructors and, optionally, selectors for a datatype (or several datatypes at 
once); both constructors and selectors may be partial. Such a type declaration 
is expanded into the declaration of the constructor and selector operations and 
axioms relating the selectors and constructors. Nothing else is said about the 
type; thus, there may not only be ‘junk’ and ‘confusion’, but there may also be 
rather arbitrary behaviour of the selectors outside the range of the corresponding 
constructors. 
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In CoCasl, this construct is complemented by the cotypes construct. In its 
full form, the syntax of this construct is identical to the types construct; e.g., 
one may write 

cotype Process ::= cont{hdl Elem] next :1 Process) 

I fork{hd2 :?Elem\left :1 Process] right \lProcess) 
thus determining constructors and selectors as for types. However, for cotypes, 
the constructors are optional and the selectors are mandatory. Moreover, the 
cotype construct introduces a number of additional axioms concerning the do- 
mains of definition of the selectors, besides the axioms relating constructors with 
their selectors as for types: 

— the domains of two selectors in the same alternative are the same, 

^ the domains of two selectors in different alternatives are disjoint, and 

— the domains of all selectors of a given sort are jointly exhaustive. 

Thus, the alternatives in a cotype are to be understood as parts of a disjoint 
sum. 

Definition 1. A cotype in CoCasl is given by the local environment sorts and 
the family of observers 

CP = (.S’, {obSij^k ■ Pi ^ Pi,j,k)i—l...n,j — 1...7ni,k—l...ri^j)' 

Here, S' is a set of sorts (the local environment sorts, also called observable sorts), 
P\ . . .Pn are the newly declared process types (or non-observable sorts) in the 
cotype (which possibly involve mutual recursion, and obsij^k is the fc-th observer 
of the j-th alternative in the cotype definition of Pi. Pij^k is the result sort of 
the observer; it may be either one of the Pi or one of the local environment sorts 
in S. The signature Sig{CP) of a cotype CP consists of the local environment 
sorts S, the cotype sorts P\ . . .T„, and the profiles of the observers; the theory 
Ph{CP) also adds the above listed axioms. 

Cotypes correspond directly to coalgebras: 

Proposition 1. Po a given CoCasl cotype definition CP, one can associate 
a functor F : Set” — >■ Set” such that the category of partial Ph{CP)~ algebras 
is isomorphic to the category of F -coalgebras. In particular, this implies that all 
homomorphisms between partial Ph{CP)-algebras are closed [6], i.e. not only 
preserve, but also reflect definedness. 

3 Generation and Cogeneration Constraints 

In order to exclude ‘junk’ from models of datatypes, Casl provides generat- 
edness constraints that essentially introduce (higher order) implicit induction 
axioms. Dually, CoCasl introduces cogeneratedness constraints that amount to 
an implicit coinduction axiom and thus restrict the models of the datatype to 
fully abstract ones. This means that equality is the largest congruence w.r.t. the 
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spec StreamI [sort Elem] = 
cogenerated cotype 

Stream cons{hd : Elem\ tl : Stream) 

end 



Fig. 1. Cogenerated specification of bit streams in CoCasl. 

introduced sorts, operations and predicates (excluding the constructors). In the 
example in Fig. 1, the STREAM-models are (up to isomorphism) the tFclosed 
subsets of where E is the interpretation of the sort Elem. A more complex 
example is the specification of CCS [18]. States are generated by the CCS syntax, 
but they are identified if they are bisimilar w.r.t. the ternary transition relation. 
This can be expressed in CoCasl by stating that states are cogenerated w.r.t. 
the transition relation. 

Formally, a cogeneration constraint over a signature A is a subsignature 
fragment (i.e. a tuple of component- wise subsets that need not by itself form 
a complete signature) E = (5, TF,PF,P) of E. In the above example, the 
cogeneration constraint is {{Elem},{hd,tl},^,^). 

A A-cogeneration constraint A C A is satisfied in a A-model M if each 
equivalence relation on M that 

— is the equality relation on sorts in A, and 

— is a closed congruence for the operations and predicates in A 

is the equality relation. (Recall from [6] that a congruence on a partial algebra 
is closed if domains of partial functions and predicates are closed under the 
congruence.) 

Note that selectors of cotypes, which play the role of observers, are always 
unary. However, like the generated { . . . } construct in Casl, the cogener- 
ated { . . . } construct allows the inclusion of arbitrary signature items in the 
cogeneratedness constraint, so that observers of arbitrary arity are also possi- 
ble. In particular, observers may have additional observable arguments (cf. the 
example in Fig. 6 below) as well as several non-observable arguments. 

In duality to generated types in Casl, the construct cogenerated cotype 
. . . abbreviates cogenerated {cotype . . . }. No such abbreviation is provided 
for cogenerated {type . . . }, the use of which is in fact expressly discouraged. A 
particularly discouraging example for the use of types where cotypes are expected 
is given in 6. 



4 Free Types and Cofree Cotypes 

Casl allows the exclusion not only of ‘junk’ in datatypes, but also of ‘confusion’, 
i.e. of equalities between different constructor terms. To this end, it provides the 
(basic) free types construct. Free datatypes carry implicit axioms that state. 
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spec Stream 2 [sort Elem] = 
cofree cotype 

Stream ::= {hd : Elem', tl : Stream) 

end 



Fig. 2. Cofree specification of bit streams in CoCasl. 



beside term-generatedness, the injectivity of the constructors and the disjoint- 
ness of their images. The most immediate effect of these axioms is that recursive 
definitions on a free datatype are conservative. The elements of a free datatype 
can be thought of as being the (finite) constructor terms, i.e. in a suitable sense 
finite trees. 

In CoCasl, we provide, dually, a cofree cotypes construct that specifies 
the absolutely final coalgebra of infinite behaviour trees (see Example 6 on why 
there is no cofree types construct). More concretely, this means that, in addi- 
tion to cogeneratedness, there is also a principle stating that there are enough 
behaviours, namely all infinite trees [2] (with branching as specified by the se- 
lectors). In contrast to its dual (no confusion among constructors), the latter 
principle cannot be expressed in first-order logic; however, a second-order spec- 
ification is possible (see below). In the example in Fig. 2, the STREAM2-models 
are isomorphic to E‘^ , where E is the interpretation of the sort Elem. 

Definition 2. Given a set of sorts S, an S-colouring is just an S'-sorted family 
of sets (of colours) . 

We are now ready to dualize the important algebraic concept of term algebra. 

Definition 3. Given a cotype 

CT = (/S', {obSij^k ■ Tj ^ Ti,j,k)i—l...n,j = l...mi,k—l...ri^j) 

and an ,S-colouring C, the behaviour algebra BehcxiC) is defined to be the 
following Sig{CT)-algehra,: 

— the carriers for observable sorts (i.e. in S) are those determined by G; 

— the carriers for a non-observable sort Tig consist of all infinite trees of the 
following form: 

• each inner node is labelled with a pair (Ti,j), where Ti is a non- 
observable sort and j G {l...mi} selects an alternative out of those 
for Ti; 

• the root is labelled with (Tig,jo) for some jo; 

• each leaf is labelled with an observable sort s G S and some colour from 

• each non- leaf node with label (Ti,j) has one child for each of the ob- 
servers obsij^k {k = 1 .. . rij). The child node is labelled with the result 
sort of the observer. 
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— an observer operation obsi„j^k is defined for a tree with root (Tig, jo) if and 
only if j = jo, and in this case, it just selects the child tree corresponding to 
the observer. 

Proposition 4. Given a cotype 

CT = (^S, {obSij^k ■ Ti >■ Tijy^)i—i_ n,j — l...mi,k—l...rij) 

and an S -colouring C, the behaviour algebra BehcriC) is final in the following 
sense: for any Sig{CT) -algebra A equipped with a C -colouring h (that is, a 
family of maps {hg : Ag —1 Cg)g^s), we can extend h in a unique way to a 
Sig{CT) -homomorphism 

h^ : A^ BehcT(C). 

Proof. Using the characterization of Prop. 1, the result follows from the general 
construction of final coalgebras over the category of {Ti, . . . , T„}-sorted sets 
(this generalizes the well-known result for Set [2]). Intuitively, hf constructs 
the behaviour of an element, which is the infinite tree given by all possible 
observations that can be made successively applying the observers until a value 
of observable sort (i.e. in S) is reached. □ 

Given a signature S, we formally add cofreeness constraints of form 
cofree{CT), where 

CT = (5*, {obSij^k ■ Ti y = ) 

is a cotype with Sig{CT) C E, as 27-sentences to our logic. A cofreeness con- 
straint cofree(CT) holds in a 27-algebra A, if the reduct of A to Sig{CT) is 
isomorphic to the behaviour algebra BehcriC) over the set of colours C with 
Cg := Ag for s € S. 

Note that this implies the satisfaction of the cogeneratedness constraint 
(S, {selij^k\selij^k iotal}, {selij^k\selij^k partial}, 0), i.e. each cofree cotype is 
also cogenerated. The converse does not hold, i.e. a cogenerated cotype need not 
be cofree. However, cogenerated cotypes still behave quite nicely (in contrast to 
arbitrary cogenerated types): the elements of carriers of the non-observable sorts 
(i.e. those outside S) are completely determined by their behaviours. Thus, the 
elements can be identified with their behaviours, and up to isomorphism, we 
have a subalgebra of the cofree cotype. Hence, cofreeness essentially adds the 
requirement that each possible behaviour is actually represented by an element. 

Note that an equivalent description of the behaviour algebra can be given in 
terms of contexts [11], using the “magic formula”: 

where Ctx^g ^ ^^_^(C)[ 2 ;s] is the set of all terms consisting of constants in C, 
observer operations and a single occurrence of a variable Zg of non-observable 
sort s. 

The main benefit of cofree cotypes (in comparison to cogenerated cotypes) 
is the principle 



corecursive definitions in cofree cotypes are always conservative 
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Algebra 


Coalgebra 


type = (partial) algebra 


cotype = coalgebra 


constructor 


selector 


generation 


observability 


generated type 


cogenerated (co)type 


= no junk 


= full abstractness 


= induction principle 


= coinduction principle 


no confusion 


all possible behaviours 


free type 


cofree cotype 


= absolutely initial datatype 


= absolutely final process type 


= no junk -|- no confusion 


= full abstractness -I- all possible behaviours 


free { . . . } = initial datatype 


cofree { . . . } = final process type 



Fig. 3. Summary of dualities between Casl and CoCasl. 



meaning that any given model of a cofree cotype can (even uniquely) be extended 
to a model of a corecursive definition over this cotype. 

Note that if we want to get an institution, in order to be able to translate 
the various constraints along signature morphisms in a way that the satisfaction 
condition for institutions is fulfilled, one has to equip the constraints with an 
additional signature morphism, as in [20, 17]. 

Fig. 3 contains a summary of the Casl concepts and their CoCasl dualiza- 
tions (including structured free and cofree covered in the next section). 



5 Structured Free and Cofree Specifications 

Besides institution-specific language constructs, Casl also provides institution- 
independent structuring constructs. In particular, Casl provides the structured 
free construct that restricts the model class to initial or free models. That is, if 
Spi is a specification with signature Si , then the models of Spi then free {Sp 2 } 
are those models M of Spi then Sp 2 that are free over w.r.t. the reduct 

functor _ I . This allows for the specification of datatypes that are generated 
freely w.r.t. given axioms, as, for example, in the specification of finite sets over 
an element sort shown in Figure 4. 

The cofree { . . . } construct dualizes the free { . . . } construct by restricting 
the model class of a specification to the cofree ones. This generalizes cofree 
types to the case of non-unary functions (e.g. as in Figure 5) and the presence 
of axioms (e.g. as in Figure 7 below). 

More precisely, the semantics of cofree is defined as follows: 

Definition 5. If Spi is a specification with signature Si then the models of 
Spi then cofree {Sp 2 } are those models M of Spi then Sp 2 that are fibre- 
final over w.r.t. the reduct functor _ Here, fibre-finality means that 

M is the final object in the fibre over M\si- The fibre over M\x;^ is the full 
subcategory of Mod{Sp 2 ) consisting of those models whose ifi-reduct is Mjuj. 





Algebraic-Coalgebraic Specification in CoCasl 383 



spec GenerateFiniteSet [sort Elem] = 
free 

{ type FinSet[Elem] ::= {} 

I {__}(FZem) 

I __ U —{FinSet[Elem\, FinSet[Elem\) 
op __U__ : FinSet[Elem] x FinSet[Elem] — >■ FinSet\Elera\, 

assoc, comm, idem, unit {} 

} 

end 



Fig. 4. Specification of finite sets over an arbitrary element sort in Casl. 



spec FunctionType = 
sorts A, B 
then cofree { 
sort Fun[A, B] 

op eval : Fun[A^ B] x A ^ B 

} 

end 



Fig. 6. Cofree specification of function types. 



This definition deviates somewhat from the semantics of free in that the latter 
postulates freeness rather than fibre-initiality. (Actually, it might be worthwhile 
to redefine the Casl semantics for free specifications in terms of fibre-initial 
models.) We will see shortly that the more liberal semantics for cofree is essential 
in cases where sorts from the local environment occur as argument sorts of 
selectors. Call a sort from the local environment an output sort if it occurs only 
as a result type of selectors. In the cases of interest, a more general co-uni versal 
property concerning, in the notation of the above definition, morphisms of Si- 
models that are the identity on all sorts except possibly the output sorts follows 
from fibre-finality. 

We shall see below (Theorem 11) that the cofree cotypes construct is equiv- 
alent to cofree { cotypes . . . }. By contrast, the use of cofree { types . . . } 
should be avoided: 

Example 6. The specification 

free type Bool ::= false \ true then 

cofree {type T ::= cl (si :?Bool) \ c2(s2 :?Bool) }, 

is inconsistent. Indeed, by applying the uniqueness part of finality to a model 
of the unrestricted type where T has an element on which both selectors are 
undefined (this is allowed for types but not for cotypes), one obtains that any 
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model of the cofree type would be a singleton; however, singleton models fail to 
satisfy the finality property e.g. for the model of the unrestricted type where T 
is Bool X Bool and the selectors are the projections. 

As an example for the significance of the relaxation of the cofreeness condi- 
tion, consider the specification of Moore automata as given in Figure 6. Here, 
the observer next depends not only on the state, but additionally on an input 
letter. 



spec Moore = 
sorts In, Out 
then cofree { 
sort State 

ops next : In x State State 
observe : State Out 

} 

end 



Fig. 6. Cofree specification of Moore automata. 

In the standard theory of coalgebra, next would become a higher-order op- 
eration next : State — >■ State^^, and the cofree coalgebra indeed yields the final 
automaton showing all possible behaviours - but only for a fixed carrier for In 
(the inputs). The carrier for Out is also regarded as fixed; however, one can show 
that the co-universal property holds also for morphisms that act non-trivially 
on Out. If the semantics of cofree required actual cofreeness, i.e. a couniversal 
property also for morphisms that act non-trivially on In, the specification would 
be inconsistent! 



spec BitStreamS = 
free type Bit 0 \ 1 
then cofree { 

cotype Bitstream ::= (hd : Bit-, tl : BitStream) 
Vs : Bitstream 



• hd{s) — 0 A hd{tl{s)) — 0 ^ hd{tl{tl{.s))) = f } 

end 



Fig. 7. Structured cofree specification of bit streams in CoCasl. 

Let us now come to a further modification of the stream example. If the 
axiom were omitted in the specification in Figure 7, the model class would be 
the same as that in Figure 1, instantiated to the case of bits as elements. With 
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the axiom, the streams are restricted to those where two O’s are always followed 
by a 1. Again, this is unique up to isomorphism. 

It is straightforward to specify iterated free/cofree constructions, similarly 
as in [23]. Consider e.g. the specification of lists of streams of trees in Figure 8. 
Alternatively, one could have used structured free and cofree constructs as well: 

SP then free {S'Pi} then cofree {SP 2 } then free . . . 

Note that also in the latter case, there won’t be any free within a cofree or vice 
versa. 



spec ListStreamTree [sort Elem] = 
free type 

Tree ::= EmtpyTree\ Tree{left :?Tree; elem TElem; : Elem-, right -.ITree) 

cofree cotype 

Stream ::= (hd : Tree; tl : Stream) 

free type 

List Nil\Cons(head :7 Stream-, tail :?List) 

end 



Fig. 8. Nested free and cofree (co)types. 



An example for free within cofree is shown in Figure 9. Here, the inner free 
has to be a structured one, since sets cannot be specified as free type directly. 
Alternatively, sets may be specified using a generated type together with a 
first-order extensionality axiom. We have preferred the former variant over the 
latter one in order to be able to apply Theorem 10 below. 



spec NonDeterministic Automata = 

sort In 
then cofree { 
sort State 
then free { 

type Set ::= {} j {—}{State) \ — U —{Set-, Set) 
op __U __ : Set X Set — >• Set, 

assoc, comm, idem, unit {} } 

then op next : In x State — >■ Set } 

end 



Fig. 9. A free type within a cofree type. 
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6 Modal Logic 

Given a cotype that defines non-observable sorts with selectors acting as ob- 
servers, we can define a coalgebraic modal logic in the style of [14]. A non- 
observable sort corresponds to a set of possible worlds, and leaving this set 
implicit is the main idea of modal logic. A selector t with non-observable result 
sort leads to modalities [t], <t>, [t*], <t*> (all-next, some-next, always, even- 
tually), while a selector with observable result sort leads to a flexible constant 
(i.e. a constant that depends on the respective world) that can be used to make 
observations (by equating it to a term of observable sort). The modal logic then 
consists of such equations as atomic sentences, which may be combined using 
the modalities above and the usual propositional connectives, as well as quan- 
tification over variables of observable sorts. Using this logic, we can write, in the 
example of Figure 7, 

hd = 0 A <tl> hd = 0 ^ <tlxtl> hd = 1 
as syntactic sugar for 

hd{s) = 0 A hd{tl{s)) = 0 hd{tl{tl{s))) = 1 

Each modal formula (j) has a sort, and is implicitly universally quantified over a 
variable of this sort. The sort of 4> is determined by the non-observable argument 
in observers used in (j). In particular, a modal formula is we 11- formed only in 
case of correct sorting. One may switch to a different sort (i.e. a different state 
space) using the modalities, but only in a well-sorted way. If necessary (due to 
overloading), observers have to be provided with explicit types. The ‘iterative’ 
modalities [t*] and <t*> are meaningful only for observers that remain within 
the same non-observable sort. 

Moreover, we provide a global diamond (global) as suggested in [15], where 
(global)^ expresses the fact that 4> holds in some state of the system. For reasons 
laid out in [15], the global diamond is restricted to positive occurrences. As 
explained in [15], the global diamond is, in terms of expressivity, equivalent to 
modal rules which state implications between validities of modal formulas. For 
full details of the modal logic see [19]. 

The modal logic allows expressing safety or fairness properties. For example, 
the model of the specification BitStream4 of Figure 10 consists, up to iso- 
morphism, of those bitstreams that will always eventually output a 1. Here, the 
‘always’ stems from the fact that the modal formula is, on the outside, implicitly 
quantified over all states, i.e. over all elements of type BitStream. 

Remark 7. The modal /r-calculus [13], which provides a syntax for least and 
greatest fixed points of recursive modal predicate definitions, is expressible us- 
ing free and cofree specifications: /x is expressible with free recursively defined 
predicates, while v is expressible with cofree recursively defined predicates, and 
nesting of /i and v corresponds to nesting of free and cofree. It is an open point 
of discussion whether future versions of CoCasl should include the yx-calculus, 
or whether the existing modal operators and the explicit coding of /i-formulas 
suffice for practical purposes. 
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spec BitStream 4 = 
free type Bit ::= 0 \ 1 
then cofree { 

type Bitstream :;= 
• <tl*> hd — 1 

} 

end 



{hd : Bit’, tl : BitStream) 



Fig. 10. Specification of a fairness property. 

7 Existence of Cofree Models 

The theory of algebraic specification and institutions provides us with a very 
general characterization of the existence of free models [27]: free models exist for 
specifications with universally quantified Horn axioms. (Part of) a dual result 
has been obtained in [15]. In summary, results from [26, 14, 15] guarantee that 
cofree coalgebras over Set exist for bounded functors and modal axioms or, 
more generally, axioms that are stable under coproducts and quotients. This 
has to be generalized slightly in order to cope with specifications with several 
non-observable sorts, i.e. for coalgebras over Set". 

Even more generally, we have 

Proposition 8. Let C be a category equipped with a factorization system 
(E,M) for (large) sinks [1], and let S : C ^ C be a functor that preserves 
A4. Then (E,M) lifts to a factorization structure to the category CoAlg(T') of 
E- coalgebras. 

Let B be a subcategory of CoAlg(27) that is closed under B-sinks, and let 
CoAlg(A’) have a final coalgebra. Then B has a fully abstract final coalgebra in 
the sense of [15]. 

Proof. The lifting statement is clear. The given condition on B is equivalent to 
B being Af-corefiective [1]. Then the Al-corefiection of the final A-coalgebra is 
a (fully abstract) final coalgebra in B. 

The condition on E is always almost satisfied for the factorization structure 
(jointly surjective, injective) on Set", since injective maps in Set" are sections 
provided that their domain is non-empty; in fact, by a construction described 
for n = 1 in [3], we can always assume preservation of injective maps. 

If C, and hence CoAlg(A’), has coproducts, then closedness under E-sinks 
is equivalent to closedness under quotients and coproducts, provided that every 
E-sink contains a small E-sink (this is the case in Set"). However, it is often just 
as easy to argue directly via E-sinks, e.g. in the proof of the following rather 
general sufficient condition for Al-corefiexivity (and, hence, existence of final 
coalgebras): 
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Lemma 9. Let S : Set" — Set". // B is a subcategory of CoAlg(L') deter- 
mined by formulas of the form 



(/) = Vs : S' . P{s), 

where S is one of the carriers of the coalgebra, and 

P{s) P{hs{s)) 

for each coalgebra homomorphism h with S-component hg, then B is closed 
under jointly surjective sinks in CoAlg(i7). 

It is easy to see that this condition is satisfied for the modal logic formulas 
described above. 

We are now ready to state the main existence result: 

Theorem 10. Let Sp be the specification 

Spi then cofree { Sp 2 }. 

Call the sorts from Spi observable sorts. Let the specification Sp 2 consist of (no 
more than) 

— declarations of non-observable sorts 

— auxiliary datatypes that are defined over the other sorts using free with only 
equational axioms (or an equivalent construction) 

— further operations called observers that each have exactly one non-observable 
argument and otherwise only observable arguments called parameters, and 

— modal logic formulas, and 

— (mandatory) further axioms (say, a redeclaration of the non-observable sorts 
as cotypes ) stating that domains of observers do not depend on parameters 
and form a disjoint cover of the respective non-observable sorts. 

Then Sp is conservative (model- extensive) over Sp\. 

Proof. From Proposition 1 together with monomorphicity of the auxiliary sorts, 
we know that the category of Sp 2 -models over a given Spi-model is equivalent 
to a subcategory of if-coalgebras for some functor S : Set" — >• Set". It is easy 
to check that S is bounded, and hence admits a final coalgebra [26]; the proof 
is finished by appealing to Lemma 9 and Proposition 8. 

Moreover, we have 

Theorem 11. Lf DD is a sequence of selector-based datatype definitions 
without subsorting, then 

cofree { cotypes DD } and cofree cotypes DD 



have the same semantics. 
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8 Tool Support 

It is quite straightforward to extend the central analysis tool for Casl (the 
Casl tool set), to CoCasl. Of course, the more challenging task is to obtain 
good proof support. Here, we aim at extending the existing encoding of Casl 
in Isabelle/HOL [16] to CoCasl. 

cogenerated types are no problem: coinduction is a second-order princi- 
ple. The same holds for the infinite trees needed for cofree cotypes; actually, 
Isabelle/HOL already comes with such trees. 

The greater difficulties come with specifications of the form cofree {S'P}. 
If SP is flattenable and axiomatized within the modal logic, we can proceed 
similarly to the case of cofree types: the model of cofree SP is a subcoalgebra 
of the coalgebra of all behaviours (as specified by the corresponding cofree 
type), namely the largest subcoalgebra that satisfies the modal axioms. 

More complex examples, such as nondeterministic automata or trees with 
unbounded branching, involve a free specification of output sorts of selectors 
(like lists or sets) within a cofree {...}. Here, in a first step, we proceed as above 
and encode the cofree type over the absolutely free type (only the branching may 
now be infinite, being determined by a datatype). Then the cofree type over the 
relatively free type is obtained as the quotient modulo the largest congruence 
[12]. In terms of tool support, this means the following: 

— Equality of elements in the cofree datatype is obtained as before by coinduc- 
tive reasoning (or via terminal sequence induction [21]), the difference with 
the absolutely free case being that the formulas in the free specification (e.g. 
associativity, commutativity, and idempotence in the case of finite sets) are 
now available for such proofs. 

— Distinctness of elements is shown, again as before, by establishing that the 
behaviours are different. Here, the encoding of free specifications comes in: 
distinctness of two elements of a relatively free type is shown by separating 
the two elements by a congruence. 

Remark 12. Above, we have seen two cases where free specifications within 
cofree specifications allow good technical handling: 

— the output sorts of selectors for a cofree datatype may be given by a free 
specification, which is handled as described above; 

— the modal formulas that restrict the elements of the cofree type may involve 
freely (or cofreely) specified predicates, which are dealt with in Isabelle by 
means of least and greatest fixed points. 

Beyond these two cases, the situation remains somewhat unclear. E.g., the fol- 
lowing specification is inconsistent: 

spec FinalElement = Bool then 
cofree { 

free type Unit ::= 1 
op el : Unit — >■ Bool } 
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This seems to indicate that input sorts should not be restricted by equational 
axioms (the freeness constraint can be replaced by an equation here), or in fact 
by anything else except modal formulas; this is in agreement with suggestions 
made in [14]. On the other hand, observe that constraining output sorts is more 
or less mandatory: e.g., the specification of Moore automata (Figure 6) becomes 
meaningless if the freeness constraint (for the type of sets) is omitted - the model 
it describes is then just the singleton set (with a ‘power set’ consisting only of 
the empty set). In other words, enough of a handle must be provided to actually 
prove distinctness of observations. 

Also, a proof principle for free specifications containing cofree specifications 
seems to be much harder to obtain. Here, we propose to avoid the outer free 
specification and use a generation axiom plus some characterization of equality 
by suitably chosen observers instead. 



9 Conclusion and Related Work 

We have introduced CoCasl as a relatively easy extension of Casl. CoCasl 
allows algebraic and coalgebraic specification to be mixed. We have shown that 
the well-known coalgebraic modal logic and even the modal /i-calculus can easily 
be expressed in CoCasl, and give sufficient criteria for the existence of cofree 
models (also in the case of nested cofree and free specifications). Finally, we have 
shown how the existing coding of Casl into higher-order logic can be extended 
to CoCasl. 

CoCasl is more expressive than other algebra-coalgebra combinations in the 
literature: [7] uses a simpler logic, while hidden algebra such as in BOBJ [24] 
and reachable-observable algebra such as in COL [4, 5] do not support cofree 
types (at least not at the level of basic specifications), which in particular means 
that corecursive definitions are not conservative. For example, a cogenerated 
specification of streams in COL with say, a cons operation, has also a model 
consisting of pairs (finite list, bit), where the finite list specifies the first part 
of the behaviour, and the bit specifies the (constant) behaviour afterwards. The 
corecursive definition of a flip stream (consisting of alternating zeros and ones) 
is then non-conservative. 

By contrast, cofree types in CoCasl support a style of specification separat- 
ing the basic process type (with its data sorts, observers and other operations) 
from further, derived operations defined on top of this in a conservative way. 
Note that this is not a purely theoretical question: programming languages such 
Charity [8] and Haskell [9] support infinite datastructures that correspond to 
the infinite trees in the behaviour algebras, and one should be able to specify 
that as many infinite trees as needed for all programs over some datastructure 
expressible in these languages are present in the models of a specification. The 
Haskell semantics for lazy datastructures (at least for the non-left — ^--recursive 
case) indeed comprises all infinite trees, i.e. is captured exactly by a behaviour 
algebra. 
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Unlike COL [4, 5], CoCasl does not simultaneously support a glass-box and 
a black-box view on a specification. However, we plan to develop a notion of be- 
havioural refinement between CoCasl specifications. Then, the black-box/glass- 
box view of [4] could be expressed in CoCasl as a refinement of a black-box 
specification into a glass-box one, thus also providing a clear separation of con- 
cerns. 

The Coalgehraic Class Specification Language CCSL [25], developed in close 
cooperation with the LOOP project [29], is based on the observation of [22] that 
coalgebras can give a semantics to classes of object-oriented languages. CCSL 
provides a notation for parameterized class specifications based on final coal- 
gebras. Its semantic is based on a higher-order equational logic and it provides 
theorem proving support by compilers that translate CCSL into the higher-order 
logic of PVS and Isabelle. In its current version, CCSL does not support data 
type specifications with partial constructors, axioms or equations, i.e. it only 
supports free types in the sense of Casl. Recently CCSL has been extended 
by binary methods [28], which are supported in CoCasl via cogenerated con- 
straints. 

At the level of proof principles, recent research about circular coinduction 
[10] and terminal sequence induction [21] is expected to provide tactics for the 
encoding of CoCasl into Isabelle/HOL. 
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Translating Logics for Coalgebras 
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Abstract. This paper shows, that three different types of logics for 
coalgebras are institutions. The logics differ regarding the presentation 
of their syntax. In the first framework, abstract behavioural logic, one 
has a syntax-free representation of behavioural properties. We then turn 
to coalgebraic logic, the syntax of which is given as an initial algebra. 
The last framework, which we consider, is coalgebraic modal logic, the 
syntax of which is concretely given. 



1 Introduction 

This paper tries to contribute to the question, whether different types of logics, 
interpreted over coalgebras, carry the structure of an institution. Institutions, 
originally introduced by Goguen and Burstall, capture interplay between the 
transformation of systems and corresponding translations of logics. An institu- 
tion therefore consists of two parts: A class of systems, and a class of logics, which 
can be used to describe properties of the systems under considerations. Both are 
linked by (semantical) transformation of systems and corresponding (syntacti- 
cal) translation of the logics. If the systems, together with their logics, form an 
institution, we have the possibility to derive properties of a transformed system 
from properties of the original system, which makes the concept of institutions 
valuable in the stepwise process of building systems. 

The class of systems we are dealing with in this paper, are coalgebras for 
an endofunctor on the category of sets. Coalgebras provide a uniform view on 
a large class of state-based systems, (see [20] for examples). In order to reason 
about coalgebraically modelled systems, modal logic has proven an appropriate 
tool ([10,15,8,19,7]). 

Both the class of systems (coalgebras) and the corresponding class of (modal) 
logics are well understood - as long as we do not migrate between different types 
of systems (that is, between coalgebras for different functors) and leave the logics 
fixed. It is the purpose of this paper to add transformations between models and 
translation between the logics to the picture. 

After recalling some basic terminology, we first address the question, whether 
coinstitutions are the appropriate framework in which one should consider logics 
for coalgebras and their translations. We can rightfully say, that this is just a 
matter of taste: Every institution over a category Sig of signatures corresponds 
to a coinstitution over Sig°^, and vice versa (Proposition 1). In this light, we 
choose to work with coinstitution, which we feel are easier to work with in the 
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context of coalgebras, mainly because we do not need to work with the dual 
category of signature morphisms. 

Before dealing with translations on the logical side, we first study the trans- 
formation of models on semantical side. We argue that - working with coalgebras 
for endofunctors - natural transformations between functors provide us with a 
natural notion of signature morphism. This notion of signature morphism is then 
used to treat three different types of logics for coalgebras: abstract behavioural 
logic (the presentation of which is syntax free), coalgebraic logic (the syntax of 
which is abstract), and coalgebraic modal logic, where the syntax is concretely 
given. 

We show, how to define translations between the logics for each of the three 
different types. It turns out that the institution property of abstract behavioural 
logic and coalgebraic modal logic is relatively easy to establish; in the case of 
coalgebraic logic, one needs a small extension of the syntax. 

2 Preliminaries and Notation 

In the whole paper, T denotes an endofunctor on the category Set of sets and 
functions. 



2.1 Coalgebras 

The definition of coalgebras (and their morphisms) dualises that of algebras for 
endofunctors: 

Definition 1 (Coalgebras, Morphisms). A T-coalgebra is a pair (C, 7) 
where C is a set and 7 : C ^ TC is a function. A morphism between two 
T -coalgebras (C, 7) and (D,d) is a function f : C D, which satisfies T/07 = 
So f. 

Coalgebras, together with their morphisms, form a category, which we denote 
by CoAlg(T). 

We think of coalgebras for an endofunctor as a general framework for state 
based systems, and we think of T as a signature for the T-coalgebras. Instanti- 
ating the framework with specific endofunctors (different signatures), we obtain 
different types of systems: 

Example 1. (i) Suppose T\X = L x AT for a set L of labels. Then every state 

c G C of a T-coalgebra (C, 7) can be seen as producing an infinite trace of labels 
I G L: 

H l>2 

C = Co ^ Cl ^ C2 ^ • • • 

where (lk,Ck) = 7(cfc-i) for k > 0. 

(ii) For T2X = {O X XY , the T2-coalgebras are Mealy Automata: Given 
(C, 7) G CoAlg(T2), a state c G C and an input i G I, the transition function 7 
provides us with a new state 7T2 o 7(c)(1) and an output o = tti o 7(c) (i) G O. 
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(ill) Suppose TX = V{X)^, where V is the covariant powerset functor. Then 
T-coalgebras are in 1-1 correspondence with labelled transition systems: Given 
(C, 7 ) G CoAlg(T), put c — ^ c' iff c' G 7 (c) (?). 

One of the appealing features of the general theory of coalgebras is, that 
T-coalgebras come with a meaningful built-in notion of behavioural equivalence: 

Definition 2. Suppose ( 0 , 7 ) and (D,S) G CoAlg(T). Then a pair of states 
(c,d) G C X D is behaviourally equivalent, if there is {E,e) G CoAlg(T) and 
a pair of morphisms f : (C,j) —>■ (E,e) and g : (D,S) —>■ (E,e) such that 
/(c) = g{d). 

This definition goes back to [11]; Rutten [20] has studied bisimulation, as 
defined by Aczel and Mendler [1] as fundamental notion of equivalence. Both 
notions agree if the signature functor preserves weak pullbacks; for functors not 
having this property, behavioural equivalence seems to be the more fundamen- 
tal notion of equivalence (see [11] for discussion). In the examples, behavioural 
equivalence can be expressed as follows: 

Example 2. (i) Let T\X = Lx X and suppose (C,j) and (D,5) G CoAlg(Ti) 

Then (c, d) G C x D are behaviourally equivalent, if they produce the same trace 
of labels I G L. 

(ii) In the case T2X{0 x X)^ , every state c G C of a T 2 -coalgebra (G, 7 ) 

defines a function /c : ^ 0“ (given i = {in)neui, let c = cq and (o„,c„+i) = 

7 (cn)(tn). Put fc{i) = (on)neuj)- We obtain that two states are behaviourally 
equivalent, if the associated functions are equal. 

(iii) For T^X = V{X)^ and (G, 7 ), (T, <5) G CoAlg(T 3 ), behavioural equiva- 
lence coincides with bisimulation, as used by Park [16] and Milner [14[. 

The significance of behavioural equivalence is that it identifies precisely those 
states, which cannot be distinguished from the outside. The logics, which we 
consider later, will all be invariant under behavioural equivalence. 

2.2 Institutions 

Institutions [21,6] have been successfully used to describe the interplay between 
translation of logics and transformations of models along morphisms of signa- 
tures: 

Definition 3. Suppose Sig is a category (of signatures). An institution is a 
triple (Mod, Sen, Sig) where 

• Mod : Sig — *■ Cat°^ associates categories of models to signatures 

• Sen : Sig ^ Set associates a set of sentences (formulas ) to every signature, 
and 

• \= is a family (^s) of relations Mod(S') x Sen(S'), indexed by the 

signatures S G Sig 

such that the satisfaction condition 

Mod(a)(M) \=() ^ M h Sen{a){()) 

is satisfies for all a : S ^ S' , M G Mod(S") and (f G Sen(S'). 
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It is the purpose of the paper to establish the satisfaction condition for dif- 
ferent types of logics, interpreted over coalgebras. For other examples of insti- 
tutions, the reader is referred to the original paper by Goguen and Burstall [6]. 
Dually, we have 

Definition 4. A coinstitution over a category Sig of signatures consists of 

• A functor Mod : Sig ^ Cat 

• A functor Sen : Sig ^ Set°P 

• A family of relations |=sC Mod(S') x Sen(S'), indexed by the objects S 
of Sig, 

such that the dual of the satisfaction condition 

Mod{a){M) \=f) ^ M h Sen{a){f)) 

is satisfied for all a : S ^ S' , M G Mod(S') and (j) G Sen(S'). 

Note that, in a coinstitution, the translation Mod is covariant, whereas the 
translation Sen of sentences is contravariant. However, when dualising institu- 
tions, we do not obtain a new concept: 

Proposition 1. Suppose Sig is a category. Then there is a 1-1 correspondence 
between institutions over Sig and coinstitutions over Sig°^ . 

Proof. Suppose (Mod, Set, Sig) is an institution over Sig. Then (Mod°^, Sen°P, 
1=) is a coinstitution over Sig°^; clearly this construction can be reversed. 

In the light of this proposition, the concept of coinstitution is strictly speak- 
ing unnecessary. However, for the purposes of the present paper, we prefer to 
work with coinstitutions. This allows us to take a subcategory S C [T,T] of the 
category of endofunctors (instead of S°p) as a category of signatures. 

3 Translation of Models 

One of the goals of this paper is to show that three different conceptions of 
modal logic for coalgebras give rise to an institution. All three logics will be 
interpreted over coalgebras for endofunctors on sets. Since we think of the un- 
derlying endofunctor T as a signature for the corresponding T-coalgebras, sig- 
nature morphisms need to mediate between endofunctors on Set. The obvious 
notion for signature morphisms are therefore natural transformations (see [13]). 
Thus, our category Sig of signatures will have endofunctors as objects and natu- 
ral transformations as morphisms, that is, we take Sig C [Set, Set] as a (possibly 
non- full) subcategory of the functor category [Set, Set]. As far as signatures are 
concerned, this setup is common to all three types of logics, which we show to 
carry the structure of an institution. This section describes the model theoretic 
part, that is, the Mod functor, which translates models along signature mor- 
phisms. The translation between models described here is the same for all three 
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conceptions of logics for coalgebras, which are later shown to carry the structure 
of an institution. 

Before we start to study the translation of models (coalgebras) along signa- 
ture morphisms, we first try to convince the reader that natural transformations 
are a indeed a natural choice for signature morphisms. 

The key observation is the following: 

Lemma 1 . Suppose T, S : Set ^ Set and a : S T is a natural transforma- 
tion. Then : CoAlg(S') CoAlg(T), defined by 7) = (C,a{C) 07), is 
functorial. 

Of course, this observation is not specific to the category of sets. We illustrate 
the use of natural transformations using the running examples introduced above. 

Example 3. We consider natural transformations between the signatures dis- 
cussed in Example 2 . 

(i) Every Ti-coalgebra (C, 7) can be viewed as Mealy automaton (that is, 
as T2-coalgebra) if we simply ignore the input: put 7'(c)(i) = 7(c) to obtain 
a transition function : C ^ {C x L)^ = T2{C). On the level of natural 
transformations between the corresponding signature functors, this translation 
is accomplished by cr : Ti ^ T2, with a{X) : L x X ^ {L x XY defined by 
a{x){i) = X. 

(ii) We can also view every Mealy automaton as a labelled transition system. 
Given a set I of inputs and O of outputs of the Mealy automaton, we put 
L = O X I. Given (C, 7) € CoAlg(T2), we obtain a labelled transition system (i.e. 
a Ts-coalgebra) by letting 7'(c) = {{i,o,c') \ j(c)(i) = (o, c')}. Using natural 
transformations, the situation is as follows: Gonsider a : T2 ^ T3, given by 
a{X) : (O X Xy ^ V{X)0^^ where ai(X)(/)(o, z) = {x € X \ /(i) = (o,a:)}. 
We obtain (C, 7') = 

Note that we can also treat coalgebras for endofunctors, which depend on an 
additional parameter in our framework: 

Example 4- Suppose T : C x Set — > Set, where C is an arbitrary category of 
parameters. In order to emphasise the fact that we think of the first component as 
parameter, we write Ta{X) for T{A, AT). Given a morphism f : A ^ B G C, we 
obtain a natural transformation a(X) = T(/, idx)- Identifying C G C with the 
endofunctor Tq, we can thus treat C as a category of signatures for coalgebras. 

4 Abstract Behavioural Logic 

This shows, that abstract behavioural logic can be endowed with the structure 
of an institution. Abstract behavioural logic was studied in [ 10 , 11 ], where the 
term “logic” is understood in a very general sense: 

Definition 5 . A logic for coalgebras is a set L (the language of the logic), 
together with a family ^ of relations, indexed by the T -coalgebras, such that 
h(C.7)U C X c. 
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Wt call a logic behavioural, 

d 4> c h(C,7) 4> 

for all formulas 4> G C and all hehaviourally equivalent states {c,d) G C x D. As 
usual, (C, 7 ) ^ (j) iff \JcG C.c h(C, 7 ) <t>, and |</>l(c, 7 ) = {c G C | c h(C, 7 ) <t>- 

The starting point of the investigations conducted in [10, 11] is the repre- 
sentation of formulas of a behavioural logic as subsets of the final T-coalgebra 
(assuming it exists). This representation can be formulated as follows: 

Proposition 2. Suppose {Z, C) G CoAlg(T) is final and C is a behavioural logic 
for T- coalgebras. Then 

[</>l(c,7) 

for all (C, 7 ) G CoAlg(T) and all (j) G C, where \ : C ^ Z is the morphism given 
by finality. 

Proof. Immediate from the definition of behavioural equivalence. 

Thus, every formula (f> of a, behavioural logic can be semantically represented 
as a subset of the final T-coalgebra. Thus, if {Z, C) is final in CoAlg(T), we can 
view V{Z) as behavioural logic with c H(C, 7 ) if !(c) G <(') where (j> G V(Z) and 
! : C ^ Z is the final morphism: 

Definition 6 . Suppose (Z,f) is final in CoAlg(T). The abstract behavioural 
logic At = P{Z) has subsets of the final T-coalgebra as formulas. Satisfaction 
is given by c |=(C, 7 ) (f if I {c) G (j). 

It is immediately obvious from the definition of behavioural logic, that ab- 
stract behavioural logic is indeed behavioural. We now add signature morphisms 
to the picture. So suppose a : S T is a natural transformation. If (Zs,Cs) is 
final in CoAlg(S'), then a^Zs,fs) G CoAlg(T), thus, assuming (Zt,Ct) is final 
in CoAlg(T), we have a unique morphism ! : Zs Zt , the inverse image of 
which induces a translation At between the abstract logics associated to 

T and S. 

Proposition 3. Suppose a : S —^T, and S,T allow for final coalgebras {Zs,fs) 
and {Zt,Qt), respectively. Then 

(C,7) h CT'i(C',7)h<(’ 

for all (C, 7 ) G CoAlg(S') and all <f> G At, where a* =!“^ for the unique mor- 
phism ! : (j\Zs,fs) {Zt,Ct), given by finality. 

Proof. Suppose (C, 7 ) G CoAlg(S') and consider the diagram 



C- 



Zs 



■ Zx 



Cs 



sc SZs 



a(C) 



Tu 



<y{Zs) 



TZs 



Tv 



Ct 



TZt 



TC 
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where u is the morphism given by finality of {Zs,Cs) v is the morphism 
given by finality of {ZtXt)- Suppose </> G At and c€ C. Then c \=(c,'y) 
iff m(c) G v~^{4>) iff uov(c) G </) iff c \=a‘f[c,T) since vou\ (Zt,Ct) 

is equal to the unique morphism given by finality of (ZAt)- 

If we take some care in setting up our category of signatures Sig as to ensure 
that every endofunctor T G Sig admits a final coalgebra (otherwise abstract 
behavioural logic isn’t meaningful), we obtain: 

Theorem 1. Suppose Sig C [Set, Set] is a subcategory such that every T G 
Sig admits a final T -coalgebra. Let Sen(T) = A{T) and Sen(cr) = . Then 

(Sig, Mod, Sen, |=), with |= as in Definition 6, is a coinstitution. 

This theorem shows, that behavioural logics are an institution, if we replace 
the concrete syntax by a semantical abstraction. We now turn to coalgebraic 
logic, the language of which is given inductively as initial algebra. 

5 Coalgebraic Logic 

Coalgebraic Logic, due to Moss [15], is a modal logic, interpreted over coalge- 
bras. The main feature of coalgebraic logic is the insight, that - on the level of 
T-coalgebras for an arbitrary endofunctor T - modal operators can be expressed 
using functor application. It turns out that coalgebraic logic, as originally de- 
fined by Moss [15] is not an institution: one cannot translate formulas along 
non-injective signature morphisms. However, adapting the definition slightly, we 
obtain a logic, which is an institution and into which coalgebraic logic can be 
conservatively embedded. In the original paper, the language of coalgebraic logic 
comprises a (in general proper) class of formulas, and is constructed by extend- 
ing the endofunctor T to classes (assuming that T is standard and set-based). 
Here, we give an alternative (but equivalent) presentation of coalgebraic logic, 
which dispenses with the use of classes at the expense of assuming the existence 
of an inaccessible cardinal. Instead of assuming T to be standard and set-based, 
we assume that T is K-accessible, for some inaccessible cardinal k. In a nutshell, 
the accessibility condition assures that the image of T on a set is already deter- 
mined by the image of T on sets of cardinality less than this is a technical 
requirement wich ensures the existence of initial algebras, which constitute a 
part of the syntax of coalgebraic logic. We make this choice simply because we 
think that accessibility of an endofunctor is - for most readers - a more familiar 
concept than being standard and set based. 

The second condition we have to require is, that T extends to an endofunctor 
T on the category Rel of sets and relations (we often write H-h- B for a relation 
R C A X B). This extension is given hy TX = TX for sets X and TR = 
Ttt 2 o {Ttti)~^ , for a relation R : B with associated projections tti ■. R ^ A 

and tt 2 : R ^ B (this is as in [15]). It is well known (the original reference is 
[4]), that functoriality of T is equivalent to T preserving weak pullbacks. We now 
introduce syntax and semantics of coalgebraic logic, where we assume throughout 
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the section, that T is K-accessible for some inaccessible k and preserves weak 
pullbacks and denote the bounded powerset functor by V^, that is, Vk,{X) = 
{y C X I card(y) < k}. 

Definition 7. Let Lt = 7^^ + ° T ■ The syntax of coalgebraic logic is the 

carrier Ct of the initial Lx-algehra {Lt, i-t)- 

If (( 7 , 7 ) G CoAlg(T), put dc ■ Vffp\c) V{C),dciL) and ec : 

Vi^TV{C) V{C), ec{x) = {c € C \ 3y £ cc.(7(c),y) G T(ec)}, where 
ec C X V{C) is the membership relation. 

The semantics |•](c, 7 ) • Tt — > 'P{C) of Ct with respect to (( 7 , 7 ) is the 
unique function with [dc,ec] ° iT(I'l(c,7)) = I'1(C,7) ° I'T- If c G we 

also write c ^(c,7) <(’> we drop the subscript (( 7 , 7 ) whenever there is no danger 
of confusion; also ((7,7) \= (f> iff c |=(c, 7 ) for all c G C. 

Note C contains tt = /\ 0 and is closed under conjunctions of size < k. 

In the above definition, the auxiliary familiy of functions dc is used to inter- 
pret conjunctions, and e takes care of the modalities. Note that the initial Lt~ 
algebra {Ct,i-t) always exists since Lt is Ac-accessible, see [ 2 ]. If ini : TkCt —*■ 
VkCt + VkTCt and iu 2 : TCt — > Vk.Ct + TCt denote the coproduct injections, 
we write f\j. = lt o ini and \It = I'O in 2 . The language of coalgebraic logic can 
thus be described as the least set such that 

C £7’,card(<?) < k => G £t 

T 

(j) C TCt \7t4> G Ct 

This presentation also highlights the (only) difference compared to Moss’ 
original definition, where one does not take subsets of TCt in the second clause, 
but elements of TCt- 

If (( 7 , 7 ) G CoAlg(T), we then obtain 

-HA T> c\= 4> for aH (j) G T> 

T 

c 1= iff( 7 (c), (?i) G T(|=)for some 4> G 

for subsets <I> C Ct of cardinality less than k and (j> G TCt- 

We give a brief example of the nature of coalgebraic logic; for an in-depth 
discussion and more example see Moss’ original article [15]. 

Example 5. Let TX = L x X, where L is a set of labels; we drop the subscript 
“T” on C and V. As already mentioned, tt G £ and obviously |tt] = (7 for 
all ((7,7) G CoAlg(T). If / G T, we have {(Z,tt)} C TC, hence V{(l,tt)} G C. 
Unravelling the definitions, one obtains c |= V{(/, tt)} if tti 07 (c) = 1. In the same 
manner, one has V{(m, V{(Z, tt)})} G £ for m G L with c [= V{(m, V{(^, tt)})} 
iff the stream associated to c (cf. Example 1) begins with m and is followed by 1. 

Note that - if we restrict ourselves to singleton sets (as in the original paper 
[15]) as arguments of V, we cannot express the fact that a stream starts with Iq 
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or li logically. This is the reason why coalgebraic logic, in its original formula- 
tion, fails to be a coinstitution: We cannot translate formulas along a signature 
morphism, which identifies two labels Iq and li. 

The generalisation of the original definition of coalgebraic logic does not allow 
us to distinguish bisimilar states. In other words, we have: 

Proposition 4. Ct is behavioural. 

Proof. It suffices to show that /(c) 4> iS c |=(c, 7 ) 4> whenever (p G Ct, 

f : (C, 7 ) ^ {D,6) € CoAlg(T) and c € C. This follows from the fact that 
: V{D) — > V{C) is a morphism of the LT-algebras (P(H), [du, cd]) and 
(fP{C), [dc,ec]), where d.D,eD,dc and ec are as in Definition 7. 

To see that is a morphism of algebras, it suffices to show that 



V^TV{D) 

eo 

V{D)- 






■V^TV{C) 

ec 



commutes. For c G C and x G VkTVD, we have 

c G ec oV^T{f~^){x) 
iff 3y G x.{Tf o j{c),y) G T{Gd) 
iff 3y G a;.((5 o f{c),y) G T{Gd) 
iff c G o enix), 



which shows the claim. 

We now turn to show that coalgebraic logic forms an institution. Here, a little 
care is needed when setting up the category of signatures and the category of 
models: Recall that we have required T to be ^-accessible for some inaccessible k. 
To show the satisfaction condition (and to define the appropriate translations), 
we need to restrict the cardinality of the models to < k and require that T 
restricts to the full subcategory of sets, which are of cardinality less than k. 
Working with classes, this would be unnecessary - we would have to require the 
dual condition that T can be continuously extended to classes. 

Definition 8. A K-accessible endofunctor is below k if \TX\ < k whenever 

|a:| < K. 

Most K-accessible functors are indeed below n. The prime example of a n- 
accessible functor, which is not below k is the constant functor with value k. The 
following lemma gives a characterisation of functors below k, which just depends 
on the value of the functor at 1 . 
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Lemma 2. Suppose T is n-accessible. Then T is below k if |T1| < k. 

Proof. If |X| < K, then the diagram ({x} ^ X \ x & X) is K-filtered. The claim 
follows from k being inaccessible and from the construction of ^-filtered colimits 
(see [3]). 

In order establish the satisfaction condition, we additionally have to require 
that the natural transformation a is compatible with the extensions S and T to 
relations. That is, we require that G{a) : S ^ T is natural, where G{a){X) = 
G{a{X)) : SX+^ TX is defined as the graph of cr{X), for X a set. In this case, 
we call a relational. 

Many natural transformations can be shown to be relational using the fol- 
lowing criterion: 



Lemma 3. A natural transformation a : S T is relational, if every naturality 
square, 



a(A) 

SA ^TA 



"1 

SB 



a(B) 



\Tf 

■TB 



where f : A B, is a weak pullback. 

Proof. Suppose A, B are sets and R : A+^ B is a relation; we need to show that 



Gia(A)) 

S'A ^TA 



S(R) 

SB 



G(a(B)) 



T(R) 

TB 



commutes in Rel. 

First suppose that {x,y) G G{(j{B)) o S{R). Thus there is some x\ G S{R) 
with S'7ri(a;i) = x and a{B) o S'7r2(a;i) = y. Put y\ = cr(i?)(a;i). Then T'Ki{y\) = 
cr{A){x) and T7T2 (j/i) = y, hence {x,y) G T{R) o G{a{A)). 

Now let (x, y) G T{R) o G{a{A)). As above, there is yi G TR with Triiiyi) = 
(j{A){x) and T7T2 (j/i) = y. Since 



a{R) 

SR ^TR 



Stti 



SA- 



a{A) 



TA 



is a weak pullback, there is xi G SR with (j(i?)(xi) = yi and S'7 Ti(xi) = x. 
Using naturality of cr, we obtain S'7 Ti(xi) = x and a{B) o Stt 2 (xi) = y, so 
(x, y) G cr{B) o SR. 
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Using the fact that products, coproducts, the powerset functor, identity func- 
tor and constant functors preserve weak pullbacks, we have the following crite- 
rion, which can be applied to a large class of signatures, obtained via parame- 
terised functors (cf. Example 4). 

Corollary 1. Suppose T : Set x Set — > Set is built using products, coproducts, 
the powerset functor, identity functor and constant functors only. Then, given 
f \ A ^ B, the natural transformation T(/, id) : Ta — > Tb is relational. 

Given a (not necessary relational) transformation a : S T, we can define 
a translation cr* : Ct 8-s follows: Since Ct supports the structure lt of an 

initial T-algebra, every Lr-algebra structure t : LtCs Cs defines a unique 
mapping a* : Ct C$ with a* o lt = to Lt{<J*). So we have to find an 
appropriate Ly-algebra structure t on Cs- We let t = [^1,^2] where t\ : Vk.Cs 
C s is intersection and t2 -VkO TCs Cs is given as t2 = Vt ° cr{Cs)~^. Note 
that a{Cs)~^ maps Vk{TCs) Vk{SCs). 

Proposition 5. Suppose a : S ^ T is relational and (C, 7) G CoAlg(S'). Then 

(C.7) h a^C,-/)\=(j) 



for all (j) G Ct, provided \C\ < k. 



Proof. Let d = dc and e = ec be as in Definition 7 and suppose d^(j:) = Hj: and 
= {c G C I G x.{a(C) 07(c),?/) G T(Gc)}- Then, by definition of |-]t, 
we have |-]t o o Pk|' 1 t + PkT|-]t- Consider the following 

diagram: 



LtCt LtCs -^^^LtV{C) 



id+cr(£s) 



id+a(VCy 



[At.Vt] LsCs^^LsV{C) 



[As. Vs] 



Ct 



■ Cs ■ 



■V{C) 



The left hand square commutes by definition of a* and the lower right hand 
square by definition of |-]s. We show that 

(i) [d, e]o [id + a{VC)~^) = [df ,e^] 

(ii) The top right corner commutes. 

Both claims then entail the satisfaction condition as stated. 

Ad 1 : Since a is relational, we have T(Gc) o G[a[C)) = G[a[VC)) o ,S(Gc)- 
Now let c G C and x G VkTV[G). We have 

c G e^[x) 

iff 3 y G x.[y[c),y) G G[a[VG)) o S'(Gc) 
iff G a[VG)-\x).[y[c),z) G .S(Gc) 
iff c G e o a[VG)~^[x). 
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Ad 2: If i? is a relation, we denote the opposite relation by i?°P. Then, for a 
function /, we have G(T/)°p = T’((G/)°p), and similarly for S. Also note that 
T(G|-|°P) o G(ct(7^G)) = GiaiCs) o 5(G|-]o^) since a is relational. Having said 
that, we obtain for <j) G V^TLs and c G SVC: 

c G 'PkS'Hs o a{Cs)~^{(t>) 
iff 3i; G <^.(c, G G(a(£s)) o ^(GH°p) 

iff 3i; G <^.(c, G f (GH°P) o G{a{VC)) 

iSc€a{VC)-^oV,Tl-js{^), 

that is, the satisfaction condition holds. 

Taking some care when choosing signatures and models, coalgebraic logic is 
a coinstitution (Mod'^(T) is the full subcategory of T-coalgebras with carrier 
< k): 

Theorem 2. Suppose Sig C [Set, Set] is a subcategory such that 

• Each T G Sig is below k 

• Each a : S ^ T G Sig is relational. 

Then (Sig, Mod”, Sen, |=), with Sen(T) = Ct and Sen(cr) = cr*, is a coinstitu- 
tion. 



6 Coalgebraic Modal Logic 

We have seen in the previous sections, that abstract behavioural logic and coal- 
gebraic logic are coinstitutions. The formulation of abstract modal logic is com- 
pletely syntax-free; the language of coalgebraic modal logic is abstract in that it 
is given as initial algebra. We now investigate coalgebraic modal logic, the lan- 
guage of which is concretely given as propositional logic, enriched with modal 
operators. Coalgebraic modal logic is based on the observation, that predicate 
liftings, which we now introduce, generalise modal operators from Kripke models 
to coalgebras for arbitrary signature functors. 

Predicate liftings were first considered by Jacobs and Hermida [9] in the con- 
text of coinduction principles and later by Rofiiger [18] and Jacobs [8] in the 
context of modal logic. There, as well as in the related paper [18], predicate lift- 
ings appear as syntactically defined entities, and naturality is a derived property. 
The notion of predicate lifting used in the present exposition is more general, 
and takes naturality as the defining property. 

Definition 9. A predicate lifting for T is a natural transformation X : 2 2oT, 
where 2 : Set — > Set°^ denotes the contravariant powerset functor. 

The next example shows, that predicate liftings do not only capture modal op- 
erators, but can also be used to interpret atomic propositions. 
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Example 6. Suppose TX = V{X) x V{A). Then every T-coalgebra (C, 7) defines 
a Kripke model ^(( 7 , 7) = (C, R, V) over the set A of atomic propositions: the 
accessibility relation is given by (c, c') G i? iff c' G tti o 7(c) and for a G we 
have 14 (a) = {c G C I a G 7T2 o 7(c)}. 

Now, for a set C, consider the operation A(C) : V{C) V{TC) given by 
A(C)(c) = {(c',a) G TC I c' C c}. It is easy to see that A defines a predicate 
lifting for T. Now suppose (C, 7) G CoAlg(T) and c C C, which we think of as the 
interpretation of a modal formula 4>. Under the correspondence outlined above, 
we have 7“^ o A(C)(c) = {c G C | Vc'.(c, c') G R c! G c}, corresponding to 
the interpretation of the formula □(/). 

For the case of atomic propositions, consider the constant lifting, defined 
by a(C)(c) = {(c',a) G TC | a G a}. Again, an easy calculation shows that 
a is a predicate lifting. Identifying T-coalgebras with Kripke models via the 
correspondence above, we obtain for (C, 7) G CoAlg(T) and an arbitrary subset 
c C C that 7“^ o Qf(c) = V{a), that is, the set of states which validate the 
proposition a. 

This leads us to study propositional logic, enriched with predicate liftings, 
as a logic for coalgebras. 

Definition 10. Suppose T : Set — > Set and A is a set of predicate liftings for T. 
The language C{At) of coalgehraic modal logic associated with T and A is the 
least set according to the grammar 

(f) ^ \ 4> ^ if \ [\]<p (A G A). 

Given (U, 7) G CoAlg(T), the semantics |0](c,7) = M of formulas (j> G T{A) is 
given by: 



lffl = 0 

I</> ^ V'l = (C” \ M) u M 

l[X](j)l = 7-1 o A(C)(|(()1). 

As usual, we write c ^( 0 , 7 ) (and drop the subscript if there is no danger of 
confusion), if c € |f^](c, 7 )- usual, we write (U, 7 ) \= 4> if c H(C, 7 ) 4> for all 
cGC. 

An easy induction on the structure of formulas shows, that coalgebraic modal 
logic cannot distinguish between states, which are behaviourally equivalent. 

Lemma 4. Coalgebraic modal logic is behavioural. 

Proof. By induction on the structure of formulas, one shows that |</'](c,7) = 
/~^(M(£>,<5)) for (j) G C{A) and a morphism of coalgebras / : ((7,7) ^ {D,5). 
The claim follows from the definition of behavioural equivalence. 

We now investigate the effect of signature morphisms on formulas. The key 
observation is the following: 
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Lemma 5. Suppose a : S T is natural and X is a predicate lifting for T . 
Then a~^ o X is a predicate lifting for S. 

The proof is a straightforward calculation, and therefore omitted. That is, 
a signature morphism a : S ^ T translates the modal operators associated 
with T to modal operators for S. This defines an inductive translation between 
languages for S to languages for T : 

Definition 11. Suppose a : S T and suppose that At, As are sets of predicate 
liftings for T and S, respectively. Let cr”^(yl) = {a~^ o X \ X G A}. If As Q 
a~^{AT), we define a* : C{As) C{a~^{AT)) by 

CT*(ff) = ff 

a*{(f> A'ljj) = a* {(f>) A a* {(f) 
a*{[X](j)) = [cr"^ oX]<j) 

Using this translation, we have the following property, which immediately 
entails the satisfaction condition: 

Lemma 6. Suppose a : S T and At, As are sets of predicate liftings for T 
and S, respectively, with (t“^(At) C As- Then 

for all (C,"f) G CoAlg(S') and all (p G C{At). 

Proof. We proceed by induction on the structure of formulas and do the only 
interesting case p = by induction hypothesis we may assume that 

= W\aHC,T)- 



We obtain 



K(W</')](C,7) = 7”^ o o A(C')(|ct*(V’)1(C,7)) 

= (7^)”^ o A(C)(|V'Lt(c,7)) 

= [WV’Lt(C.7)> 



which finishes the proof. 

Again, we have to pay some attention when setting up the category of sig- 
natures in order to obtain an institution. 

Theorem 3. Suppose Sig C [Set, Set] is a subcategory, and 

• At is a set of predicate liftings for all T G Sig, and 

• a~^{AT) Q As for all a : S ^ T G Sig. 

Then (Sig, Mod, Sen, is an institution, where Sen(T) = L{At) for T G Sig 
and Sen(cr) = cr* for a : S ^ T G Sig. 
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7 Conclusions and Related Work 

We have addressed the question whether logics for coalgebras can be translated 
along signature morphisms, as to form an institution. The answer was “in general 
yes, but one has to take a little care when setting up the framework.” 

It is well known, that algebras form institutions with respect to different 
kinds of logics. Therefore, one might be lead to expect that coalgebras and their 
logics congregate in some kind of coinstitution. This is true to the same extent 
as coalgebras and their logics form an institution, since there is a one-to-one 
correspondence between institutions over a category S and coinstitutions over 
§op (Proposition 1). 

Hence, instead of showing that coalgebras and their logics form an institution, 
we can equivalently show that they are coinstitutions. We prefer the latter, since 
we feel more comfortable with a category SC [T, T] of signatures than with its 
opposite; but this is clearly just a matter of taste. 

We then showed that the dual of the satisfaction condition holds for three 
different types of logics for coalgebras: Abstract Behavioural Logic, Coalgebraic 
Logic and Coalgebraic Modal Logic. The framework of abstract behavioural 
logic is based on the observation, that formulas of a behavioural logic can be 
represented as subsets of the final coalgebra, if the latter exists. This leads to 
a translation not of formulas, but of the associated representations, resulting 
in an institution (Theorem 1). For the second type of logic. Moss’ coalgebraic 
logic, the syntax needed to be modified slightly to obtain an institution. We 
have showed that this modification does not increase the expressive power of 
the logic (Proposition 4) and gives rise to an institution (Theorem 2). The third 
framework which we have studied is coalgebraic modal logic, which - in contrast 
to the ones mentioned before -- comes with a concrete syntax, given by a set of 
predicate liftings for the endofunctor under consideration. The key observation 
here is, that predicate liftings translate along signature morphisms (Lemma 5), 
thus giving rise to an inductively defined translation between logics for different 
signature functors. This translation is well-behaved, witnessed by the fact that 
coalgebraic modal logic also forms an institution (Theorem 3). 

The question whether logics for coalgebras form institutions was also taken 
up in [5, 17]. In [5], the satisfaction condition was established for an inductively 
defined class of functors, so-called “Kripke polynomial functors”, on a category 
of sorted sets. In contrast, our approach is purely semantical and can be seen 
to subsume the one-sorted case, treated in [5]. In [17], the satisfaction condition 
was only established for the case of coalgebraic modal logic. A purely semantical 
study about the relationship between categories of coalgebras for parameterised 
endofunctors was already carried out in ]12]. 
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Abstract. The paper discusses the problem of representing and com- 
bining inference systems for (abstract) context institutions, within the 
framework of context presentations [10]. As it turns out, thanks to the 
context information present in this setting, the inference rules for quan- 
tifier logics can be expressed and manipulated in a simple way, without 
referring to binding operators or requirements (cf. [12]). 



1 Introduction 

Many applications of logic in computing science concern composite domains. 
As a consequence, it is becoming widely accepted that practically useful logical 
formalisms should have a compositional nature, possibly reflecting the structure 
of the problem domain. 

Since the development of the notion of institution [5] , formalizing “an abstract 
model theory for specification and programming” , the issue of combining logical 
systems started to attract interest of researchers. The notion of parchment [4] was 
originally invented as a tool for proving the satisfaction condition for institutions. 
In [6] parchments have been proposed as a framework for combining logics. The 
idea has been further refined and explored in a series of papers [7, 8, 3, 2]. 

Institutions and parchment-like structures describe the structural part of 
a logical system only. In particular, they do not take inference systems into 
account. The issue of combining inference systems has been investigated mostly 
in the context of fibring logics [11]. Some of the results from this held have been 
applied to parchment-like structures in [3] (for the case of propositional logics), 
and recently extended to quantifier logics in [2] . 

In what follows we shall discuss the problem of representing and combining 
inference systems for (abstract) context institutions, within the framework of 
context presentations [10]. As it turns out, thanks to the context information 
present in this setting, the inference rules for quantifier logics can be expressed 
and manipulated in a simple way, without referring to binding operators or re- 
quirements (cf. [12]). 
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2 Context Presentations and Context Institutions 

The aim of this section is mostly to recall some basic notions and facts from [10]. 
Let us start with metasignatures and metastructures which presentations use for 
describing the syntactic and semantic aspects of a logical system respectively. 

2.1 Metalanguage Framework 

Definition 1. A metasignature is a six-tuple S = {S,n,U, V, C, Q ), such that 
{S, f2,n) is a relational signature, V C S, C is a family of sets indexed by 
natural numbers, and Q is a set. 

Informally speaking, metasignatures are just relational signatures enriched by 
symbols of logical connectives, (the family C), quantifier symbols (the set Q), 
and having a distinguished subset of sort names (the set V), for which we want 
to talk about variables. A metasignature morphism consist of a relational signa- 
ture morphism preserving the variable- sorts i.e., elements of V, and two map- 
pings relating the connectives and quantifier symbols (see [10] for details). The 
metasignatures and their morphisms (with an obvious definition of composition) 
constitute a category, which we shall denote by MSig. 

For every metasignature L = {S,Q,II,V,C,Q), by Syn(L) we shall denote 
an algebraic signature ( S l±l {*}, 17®^" U 77®^'' U C®^" ) such that: 

UJ € f^w,s iff ^ ^ ^TXw) Tfs) 

— r r- a r'®^" 

c t On m e t 

where T(s) and B denote the injection of s S S' and * into the disjoint union 
S l±l {*} respectively. 

The above construction in an obvious way extends to a syntax functor: Syn : 
MSig ^ AlgSig. In what follows, we shall also use two “sub-functors” of the 
functor Syn - Atm : MSig ^ AlgSig and Trm : MSig ^ AlgSig, such that: 

~ Atm{{S,n,n,V,C,Q)) = (T(S)U{B},f2®y''U7T®y''), 

— Trm{{s,Q,n,v,c,Q)) = {T{s), 

(the symbol A means “by definition”). 

The morphisms Atm^ and Trm^ are given by the respective components of the 
morphism Syn^. For every metasignature L, the signatures Atm(7) and Trm(L) 
are sub- signatures of Syn (L) — hence the informal term “sub- functor” . 

Definition 2. An L-metastructure A consists of: 

— a Syn (L)- algebra A, 

— a T(y)-indexed set F 4 , such that for every s G F (P 4 )t(s) C 

— a set Dyx, such that C |A|b, 

— for every symbol q G Q, a partial function : 7^(|A|b) ^ |A|b. 
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The set |^| = \A\ is called the carrier of the metastructure A, the subset 
V 4 — its set of assignable values (i.e., elements which can be “ranged-over” by 
variables). The set |-4 |b, corresponding to the distinguished sort B of the “syn- 
tactic” signature Syn(L), plays the role of the set of logical values, and its subset 
Dj\ is the set of designated elements. 

L-metastructures can be viewed as many-sorted algebras enriched by gener- 
alized operations — the partial functions corresponding to the symbols from Q. 
These operations are ment to represent the semantics of quantifiers. Metastruc- 
ture morphisms are just algebraic homomorphisms preserving both the distin- 
guished subsets (of values and designated elements) and the generalized opera- 
tions (cf. [10]). The category of L-metastructures will be denoted by MStr(L). 
For any metasignature morphism £ : L ^ L', MStr^ : MStr(T') ^ MStr(L) 
denotes the obvious reduct functor. 

2.2 Interpretation Structures and Presentations 

Informally speaking, metasignatures can be used for describing the grammar of 
the language of a logical system while metastructures give the semantics of the 
language. This idea is formalized by notions of an interpretation structure and 
presentation. 

Definition 3. An interpretation structure is a triple {L,Ai, Int ), consisting of: 

— a metalanguage signature L e [MSicj 

— a class 0 / models M G | Class], 

— an interpretation function (functor) Int : A4 MStr(L). 

Interpretation structures closely resemble rooms for model-theoretic parchments 
(cf. [8]). The main difference is that the latter are built over the notion of ordinary 
(many-sorted) algebra instead of metastructure. 

Definition 4. A triple ( £, m, int ) is an interpretation structure morphism from 
{L,M,Int) to {L',M',Int') iff: 

— £ : L ^ L' is a metasignature morphism, 

— m -. Ai' ^ M. is a function, 

— int : m ; Int Int ' ; MStr^ is a natural transformation. 

Since A4' is a discrete category (a class) the natural transformation int is simply 
an Al'-indexed family of metastructure morphisms, such that for every M' G 
M': 

intM' : Int{m{M')) MSTRi{Int' {M')) . 

The composition of {£,m,int) : ISi IS 2 and {£' ,m' ,int' ) : IS 2 I S 3 is 

defined by: 

{£, m, int ) ; {£', m' , int' ) = {£;£', m'; m, {m'*int ) ; (mt'*MSTR^) ). 

Interpretation structures and their morphisms constitute a category which we 
shall denote by IntStr. 
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Definition 5. A context presentation is an arbitrary functor into the category 
of interpretation structures: 

<P \ SiG^^ IntStr. 

We shall call Sig^ the category of signatures of the presentation tP. 

Let tP : SiG^ ^ IntStr be a context presentation. To simplify notation, in the 
sequel we shall omit the superscript from the name of the category of signatures 
for 'P. 

For any signature S G |Sig| the presentation tP assigns an interpretation 
structure tP(S): 

S ^ If’(Ll’) = ( Ls, At i;, Ints '■ AAs MSTR(Li;) ). 

By “projecting” tPto the first and second component respectively we obtain the 
metalanguage functor Lan^ : SiG ^ MSig and the model functor Mod^ : SiG°^ ^ 
Class for tP. Relationships between these two functors can be depicted as follows: 



E I ^ Lan£ 

7 Lan^ 

E' I ^ Lan|, 



Mod 



Ints 



Mod^ 



Mod 




Int X 



MSTR(Lan£) 

MSTR(Lanf) 

MSTR(Lanf';) 



Definition 6. Let tPi : SiG®’^ ^ IntStr and ‘P 2 : SiG^^ ^ IntStr he presenta- 
tions. A morphism from P’l to P ’2 is a pair ( <?, /i ) : iPi ^ IP 2 such that: 

- <L> : SiG^i ^ SiG^= is a functor, 

— /i : ^ ; IP 2 =k is a natural transformation. 

Presentations and presentation morphisms constitute a category which we shall 
denote by Pres. 

We shall now give two simple examples and describe a presentation EQL for 
many-sorted equational logic and presentation fFOL for many-sorted first-order 
logic (without equality). Other examples of presentations, as well as examples of 
their morphisms, can be found in [9, 10]. 

Example 1 (Many-sorted equational logic). The category of signatures for 'EQLis 
the category of algebraic signatures AlgSig. The metalanguage functor Lan^^ : 
AlgSig — > MSig is defined as follows: 

- Lan‘^‘2^((S',f2)) = ( S', 17, 77, S', C, 0 ), where 77,« = {=} for s G S, and all 
other elements of 77, and all Cn for n > 0 are empty. 

— for every a : Ei ^ E 2 in AlgSig, the morphism Lan^^ : Lan^‘^(A'i) ^ 
Lan'^^(A’ 2 ) is defined as a for the symbols coming from E, and as the 
identity for the equations from II ss, for s G S. 

The model functor Mod”^^ for every signature E in AlgSig returns the class of 
all A'-algebras Alg(77). For every algebraic signature morphism a, the function 
Mod®^ is the usual algebraic cr-reduct operation. 




Presenting and Combining Inference Systems 413 



Let = (S', 17) be an algebraic signature. For every L'-model (algebra) M, 
we shall now define the metastructure Ints{M). Let Am be a Syn'^^(L')-algebra 
such that: 

— for every sort s G S, let \Am\t(s) = \^^\s, 

— \Am\b = {tt.ff}, 

~ for every w : si . . . s„ ^ sq, u>Am = ^m, 

— for every s in S and ai ,02 in \Am\t{s)} =Am equals tt if and only 

if Oi and 02 are identical. 

For every s G S, as the set of values |t(s) for the sort T(s), let us take 

the whole^ set \Am\t(s), and as the set of designated elements — the 

singleton set {tt}. 

For every algebraic signature morphism a : Si ^ S 2 and every algebra 
A G Mod^^, let intfi be the identity morphism. 

Example 2 (Many-sorted first-order logic). The category of signatures for fFOLis 
the category of relational signatures RelSig, whose objects are triples {S, f2,U), 
where S is the set of sort names, Q is an S* x S-indexed set of operation symbols 
and n is an S'*-indexed set of relational symbols. Morphisms in RelSig are 
defined in the usual way. The metalanguage functor Lan^'^'^ : RelSig ^ MSig is 
defined as follows: 

— Lan^‘^^((S',f7,7T)) = {S,f2,n,S,C,{y}), where Ci = {-}, C 2 = (Aj, and 
the sets: Cq and Cn for n > 3 are empty, 

— for every relational signature morphism a : S\ ^ S 2 , the morphism Lan^'^^ : 
Lan^'^'^(I7i) ^ LarT^'^^(L' 2 ) is given by a, for symbols coming from S, and is 
defined as the identity for connectives and the quantifier, i.e. for the symbols: 

A and V. 

The functor Mod^'^^ : RelSig°^ ^ Class, for every relational signature S, 
returns the class of all relational S -structures (defined in a standard way). For 
every a : Si ^ S 2 in RelSig, the function Mod^'^^ is the corresponding cr-reduct 
operation. 

Let us now define the interpretation function for S = {S,fi,II). Let M be an 
arbitrary relational L'-structure. We have to define the metastructure Ints{M). 
Let Am be a Syn^'^'^(L')-algebra, such that: 

— the carrier \Am\ and the interpretation of operation symbols from 17 are 
defined as in the case of SQL, 

— for every relational symbol tt : Si . . . s„ and ai in \AM\T{si), * = l...n 
the value of ttam (^Ij • ■ • j f^n) equals tt if and only if the tuple ( oi, . . . , a„ ) 
belongs to ttm, 

— ~^Am 7\am Eire the usual negation and conjunction. 

^ In general, the set of values could be a proper subset of the carrier, e.g. as in the 
case of partial first-order logic (cf. [10]). 
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The set of values and the set of designated elements are defined in the same way 
as for 'EQT. The generalized operation interpreting the V quantifier is 

defined as follows: 






ff if ff G B 
tt otherwise. 



where B C |Am|b is an arbitrary subset. 

For every signature morphism a : Si S2 in RelSig, and every model 
M2 G the morphism is th® identity. 



2.3 Towards Syntax Metaformulae 

As we have mentioned, we want to treat metasignatures as grammars for the lan- 
guages of terms and formulae. This idea is made precise through the construction 
of a metaformula functor 



MFrm : MSig ^ sDgm(Set) 

where sDgm(Set) is the category of small diagrams in Set^. Below, we shall 
briefly sketch this construction, since (a slight modification of) it will also be 
used in the next section for defining schematic metaformulae. 

Let V be an arbitrary (denumerable) vocabulary of variable symbols with a 
fixed choice function choice : (7^(V)\0) ^ V, i.e. a function such that choice{V) G 
V for all nonempty V C V. 

For every metasignature L = {S, II, V,C,Q) let MCtxt^ be the full sub- 
category of the category of substitutions Trrm(L)) whose objects are T(5')-sorted 
sets X of elements of V such that Xx(s) = 0 for s ^ R. This category will be 
called the category of L -metacontexts. 

For any L-metacontext X, using (almost) the usual first-order syntax ap- 
proach, we define the set of metaformulae MFrmL(X). The construction pro- 
ceeds by induction over the set of all L-metacontexts. Let { MFrmi(A) | X G 
IMCtxt^I } be the smallest family of sets satisfying the following conditions: 



|TAtm(L)(^)kCMFrmi(A) 
cGC„ ipi...ipn&MVrmL{X) 

c{g}i,...,ipn) G MFrmL(A) 

(/? G MFrmL(X U {v}s) v = fresh{X) q&Q sGR 

G MFrmL(A) 

where fresh{X) « choicefV \ |A|). The first condition expresses the fact that ev- 
ery atomic metaformula is a metaformula. The remaining two requirements say 

^ The objects in sDgm(Set) are pairs ( A, F), where A is a small category and F : 
A ^ Set is a functor. A morphism from { A, F ) to ( B, G ) is a pair { H, a ) , such that 
H : A ^ B is a functor and a : F => H ; G is a natural transformation. Composition 
of morphisms { H, a ) : { Ai, Fi ) ^ ( A2, F2 ) and { H', ) : ( A2, F2 ) ^ { A3, F3 ) is 

defined as { H; H', a ; (H * /3) )• 
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that the set MFrm 2 ^(X) is closed under applications of connectives and quanti- 
fiers. 

The requirement that v = fresh (X) guarantees that the resulting metafor- 
mulea are normalized wrt. a suitably defined notion of syntactic substitution (in 
the sense of [13, 9]). Hence, we can avoid the complexity of working with equiva- 
lence classes (wrt. a-conversion) of metaformulae. The syntax translation along 
metasignature morphisms is defined in a standard way. It is not difficult to show 
that the construction indeed defines a functor from MSig to sDgm(Set). 

By the base of an arbitrary functor F : A — > sDgm(Set) we shall mean a 
functor base(F) : A — > sCat, such that base(F)(A) = Ca and base(a : Ai 
A 2 ) = Ca, where F(A) = ^ Set and F(a) = ( Ca : Cai ^ Ca^jO:)- For 

example, the base for the metaformula fuctor MFrm is the metacontext functor 
MCtxt : MSig ^ sCat, which to every metasignature L assigns the category 
of L- metacontexts MCxxXi and for every metasignature morphism gives the 
appropriate metacontext translation. 



2.4 From Presentation to Context Institution 

In [9, 10] universal constructions in the category Pres of presentations have been 
proposed as a framework for systematic construction of logical systems. Among 
the objects of Pres the “really interesting ones” are those for which we can 
directly construct a corresponding context institution. 

Definition 7. A context institution consists of: 

~ a category SiG 0 / signatures, 

— a formula functor Frm : SiG ^ sDgm(Sex) 

— a model functor Mod : SiG°^ ^ Class, 

— a valuation functor Val : ELXs(Mod) ^ sDgm(Sex), 

such that base(Val) ; ( _)°P = base(7r ; Frm), where ELXs(Mod) denotes the cate- 
gory of elements^ for Mod and tt : ELXs(Mod) ^ SiG is the obvious projection 
functor, plus for every: signature X, model M in Modi;, and context F e |Ctxti;| 
{where Ctxt ^ base(Frm)), 

— a binary satisfaction relation.- 

hi:,r - ^ '^As.m{F) x Frmi;(r) 

such that suitably defined Satisfaction and Substitution conditions hold (see [10] 
for details). 

Due to the lack of space we shall not give any examples of context institutions 
here. The interested Reader may consult [10, 9] for more information, motivation 

® The objects in ELXS(Mod) are pairs (S,M) s.t. S £ jSlGj and M £ |Modi;|. A 
morphism from {Si, Mi) to (Hi, M2) is a signature mprphism a ■. S\ ^ Si s.t. 
Modo-(M 2 ) = Ml (for more on categories of elements see [1]). 
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as well as the definition of context institution morphism. In what follows the 
category of context institutions will be denoted by ConIns. 

The condition which enables us to construct a context institution X(lP) out of 
a context presentation (P is called logicality. In what follows I{tP) will be called 
the context institution generated by tP. 

Definition 8. A presentation (P : SiG ^ IntStr is called logical iff: 

— for every signature S in SiG, and every model M in Modi;, all the generalized 
operations in the metastructure Ints{M) are total, 

~ for every signature morphism a \ S ^ S' and every model M' in Modi;/ the 
morphism intf[, : Ints{Moda{M')) MSTR\_a„^{Ints'{M')): 

• reflects the designated elements, 

• is surjective on the set 0 / assignable values. 

The notion of logicality extends to presentation morphisms yielding a category 
of logical presentations denoted by LogPres. 

For an arbitrary logical presentation iPthe context institution X(lP) generated 
by tP, has the same category of signatures as tP. Also the model functor for T{tP) 
is the model functor for tP (see Sect. 2.2). The formula functor is defined as the 
composition Lan^; MFrm. Valuations are (suitably indexed) functions between 
contexts and carriers of the metastructures interpreting models (given by Inf). 
For every signature S, every A-model M and every A-context X the satisfaction 
relation is given by: 

^ iff [</>!« G Dint^(M)- 

where | _ ]i, denotes a semantic interpretation function for formulae. 

In other words, a formula (j) is satisfied by a valuation v of the context X in the 
model M, if and only if, the value of its semantic interpretation corresponding 
to v belongs to the set of designated elements of the metastructure Ints{M) 
(see [10,9] for details). The construction of S{‘P) extends to a functor X(_) : 
LogPres ^ ConIns (cf. [9], Theorem 23 and Proposition 24). 

In an obvious way both presentations described above — EQT and ffOL — are 
logical. Many more examples of logical presentations can be found in [9, 10]. 

3 Schematic Metaformulae 

To proceed towards our goal of introducing inference rules for context pre- 
sentations we need to define expressions which, when appropriately “instanti- 
ated”, would denote formulae of the object logic. We shall call such expressions 
schematic metaformulae. They constitute a functor 

SMFrm : MSiG ^ sDgm(Set) (1) 

which we define below. In what follows we shall frequently use the term “s- 
metaformula” instead of “schematic metaformula”. 
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In addition to the “ordinary” variables (elements of V) s- metaformulae can 
contain variables denoting formulae of the logic in question. Those formula 
variables have to constitute a part of the extended notion of context for s- 
metaformulae. Defining schematic metacontexts we have to be careful to avoid 
“incompatibilities” between different occurrences of the same formula variable 
in a given s-metaformula. To clarify it let us consider the expression 

qx'^.cj) qx'^.cj) (2) 

containing two occurences of a formula variable (j). 

Assume that we want the whole expression to be interpreted in the set of 
metaformulae over a given metacontext X. Then, because of the way the family 
of sets MFrmL(A) has been defined, the first occurrence of </> should be evaluated 
within the set of metaformulae over X U {x}r- At the same time, for the same 
reason the second occurrence has to be evaluated in the set of metaformulae 
over X U {x}a“^. In general these two sets would be different. Since in a given 
instance of the quasi s-metaformula (2) we want both occurences of (j) to denote 
the same metaformula we shall put the information about the binding context of 
a formula variable into the schematic metacontext. 

Let TV be the dictionary (set) of formula variables. We shall assume that V 
and TV are disjoint. For any metasignature L = { S, II,V,C,Q) by SMCtxtl 
we shall denote a category whose object are triples (s. A, <?) such that s G F*, 
X is an L-metacontext and <P is an y*-sorted set of elements from TV. We shall 
also say, that a formula variable (f> G d^si...s„ has a binding context si . . .s„. A 
morphism in SMCtxtj^ from {s,X,<P) to {s,Y,'V), where C iF is an arbitrary 
metacontext morphism t : X Y. 

In what follows, for any metacontext X and any s G V by s(A) we shall 
denote the metacontext X U {fresh{X)}s. This notation extends to any sequance 
s = Si . . . s„ by putting s(A) = si(. . . s„(A) . . .). 

Let { SMFi( s. A, <?) | {s,X,<P) G |SMCtxtl|} denotes the least family of 
sets such that SMFi( s. A, <? ) C SMFl( s. A, S') for C W and satisfying the 
following additional closure conditions: 

SGF* e I^Atm(L)(s(^))|B TV SGV* 

G SMFl(s, A, 0) ^ G SMFl(s, A, {(()}s) 

c G C„ (^ 1 . . . (^„ G SMFl(s, A, 
c{ipi,. ..,ipn) G SMFl{s,X,<P) 

ip G SMf l{s::s, X,<P) v = fresh{s{X)) qGQ sGV 
qv^.ip G SMFi( s, A, 

G SMFl(s, A,^) sGV 
[V3]s G SMFl(s::s, A,^) 

^ More formally, instead of the variable x we should have used fresh{X) (with appro- 
priate sort “decoration”). 
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The last clause represents an “inclusion” between the sets SMFi( s, X, <? ) 
and SMF^( s::s, X, 

As in the case of metaformulae, because of the “freshness” requirement for the 
variable v above, each of the sets SM F^ ( s, A, ^ ) contains only expressions which 
are normalized wrt. syntactic substitution of terms for variables, i.e. expressions 
invariant under the identity substitution. 

For any metasignature L the schematic metaformula functor SMFrm^ to ev- 
ery schematic metacontext {s,X,<P) assigns the set SMFi( s, A, ^). For any 
s- metacontext morphism t : {s,X,<P) (s, A, S'), its image under SMFrrrii 

is a suitably defined substitution operation. Due to the lack of space we shall 
not give its almost obvious definition here. For a metasignature morphism i : 
Li L 2 its image under SMFrm is a family of functions translating for ev- 
ery s-metacontext (s. A, <?) s-metaformulae from SMF/^^ ( s, A, to the set 
S M Fl 3 ( r (s) , M Ctxt^ (A) , SSet^. (^>) ) ^ . 

Note, that there is a “natural inclusion” a : MFrm ^ SMFrm. For every 
metasignature L the functor : MCtxtl ^ SMCtxtl sends each metacon- 
text A to the s-metacontext ( e. A, 0 ) and every morphism f : X ^ Y to itself. 
For any metacontext A the function a^™{X) : MFrm^(A) ^ SMFrmi( e. A, 0 ) 
is the identity. 

4 Inference Rules and Extended Presentations 

Let L be an arbitrary metasignature. Taking schematic metaformulae as the 
basis, we shall now define the notion of an L -inference-rule. 

Definition 9. An L-inference-rule is a triple r = ( ( s. A, <P),prem{r), conc(r) } 
such that: 

— {s, X,<1^) is a schematic metacontext, 

— prem{r) € 7^(SMFrmi( s. A, <? )), 

— conc(r) G SMFrmL(s, A, <?) 

Using translations of s-metacontexts and s-metaformulae provided by the functor 
SMFrm we can easily see that the inference rules actually define a functor 

Rules : MSiG ^ Set 

which for every metasignature L assigns the set of all L-rules. 

Definition 10. An extended interpretation structure is a pair (IS,R) consist- 
ing of: 

— an interpretation structure IS = {L,Ai,Int), 

— a set of L -rules R C Rules(L). 

® Technically speaking [_]a is an obvious extension (by taking formula variables into 
account) of the operation of performing an “inslusion substitution” t, : X ^ ■s(A). 
In particular, [_]s “re-normalizes” its argument wrt. s(A). 

® By £* we denote the obvious extension of the sort- component of £ to sequences. SSet 
is the functor “creating” categories of sorted sets (cf. [10]). 
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A morphism from { ISi, Ri) to { IS 2 , R 2 ) is an arbitrary morphims { £, m, int ) : 
ISi IS 2 in IntStr such that Rules^(i?i) C R2 . 

The category of extended interpretation structures and their morphisms will be 
denoted by eIntStr. 

Proposition 1. The category eIntStr is cocomplete. 

Proof. The category IntStr is cocomplete ([9], Theorem 13). Similarily cocom- 
plete is the category of metasignatures ([9], Proposition 18). Using these two 
facts it is easy to verify that the colimits in eIntStr are computed via colimits 
in IntStr and a suitable category of “signed” sets of rules. 

Definition 11. An extended context presentation is an arbitrary functor into 
the category of extended interpretation structures: 

tP : SiG^ ^ eIntStr. 



Defining the morphisms similarly as in the case of (ordinary) presentations we 
obtain a category of extended presentations ePres. 

Corollary 1. The category ePres of extended presentations is complete. 



Proof. Completeness is a consequence of the fact that ePres is a category of 
functors “into” a cocomplete category. 



Example 3 (Many-sorted equational logic cntd.). Let us take the presentation 
“EOLior many-sorted equational logic, defined in Example 1. We shall turn it into 
an extended presentation EQL : AlgSig ^ eIntStr by augmenting for every 
algebraic signature E = (5,17) the original interpretation structure EQL{E) 
by the set of rules Rs, consisting of the refiexivity, symmetry, transitivity and 
congruence rules. For example for all s S 5 the transitivity rule looks as follows: 



= y^ 






,{x,y,z}s,^) 



Please note, that there is no substitution rule among the rules in R^. It may 
seem strange at first, but as we shall learn in the next section, there is a good 
reason for this “omission” . 



Example 4 (Many-sorted first-order logic cntd.). To obtain an extended presen- 
tation for the first-order logic (without equality) it is enough to augment each 
interpretation structure for the presentation ffOL by inference rules correspond- 
ing to the axiom schemata of the classical propositional calculus, the rule of 
modus ponens and the following rules: 



[yx^(p]s ^ 4> 



{S,(>,{(j)}s) 



[<j)]s [yx^lf]s 



(s,0,{{())}e,{V’}s}) 



for all s € S. 
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4.1 From Extended Presentations to Entailment Systems 

The notion of logicality introduced for ordinary presentations can without any 
change be used for the extended case — we do not require anything extra about 
the inference rules of extended logical presentations. We shall denote the resulting 
category by eLogPres. 

Let tP : SiG ^ eIntStr be a logical extended presentation. In this section we 
shall define the entailment system generated by the rules of IP and discuss its 
semantic interpretation within the context institution T(lP). Let us start with 
the notion of a valuation of a schematic metacontext. 

Definition 12. A valuation of a schematic metacontext {s,X,<P) in an L- 
metacontext Y is an arbitrary pair {t, p) such that t : X ^ Y is a metacontext 
morphism and p is an V* -indexed function from <P to { MFrmL(s(y)) | s G F* ). 

Every (t,p) defines an instantiation function {_}(t_p) : SMFrmi( s, X, ^ 
MFrmi(s(y)). Due to the lack of space we are not able to present it here^. 
Using the above concept we are ready to define the notion of an instantiation 
for inference rules. Let r = {{s, X,<P), prem{r), conc(r) ) be an L-inference-rule. 

Definition 13. An instantiation ofr in an L-metacontext Y via (t,p) is a pair 

{{{P}{t,p) I <P G prem{r)},{conc{r)}i^t,p) )■ 

In such a case we shall call the metaformula {conc{r)} an immediate con- 
sequence of { {‘p}(t,p) I ‘P G prem{r) } via r in Y . 

For any (extended) presentation IP we can define a sentence functor Sen^ : SiG ^ 
Set such that 

Sen^(U) = y {X} X Frm|(X) 

xe|Ctxt|| 

for any signature E (with an obvious action on morphisms). In plain words, 
S-sentences are just “U-formulae with context”. 

The inference rules of IP define an entailment system, i.e. a family Ent{tP) = 
{\-% \ E & |Sig| } such that 

— each l-|)C P(Senf.) x Sen|) and 

— whenever T (f) and a : E\ ^ E 2 then Sen^(T) Sen^((()). 

The entailment system Ent{‘P) is given as follows: E <j) iff there exists a finite 
sequence 4>\, . . . ,4>n of U-sentences such that 



^ The definition is quite obvious, with the only “delicate” point being the normaliza- 
tion requirement for the result. 
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4^ 

— for all i < n either (j)i G F or 4>i is an immediate consequence of some of 
the sentences from , (t>i-i} via one of the rules from or (fn is a 

substitution instance of one of the sentences from . . . , 

It should be clear now why we have “omitted” the substitution rule from the 
Example 3. It is because the substitution rule is a built-in “metarule”, i.e. it is 
a part of our notion of consequence in the entailment system for bP. 

For any signature S in SiG let us introduce the following validity satisfaction 
relation between 27-models of tP and sentences from Sen^: 

M\hs iff for all v G Valg^(X) M[v] <4 

Using the semantic consequence corresponding to Ihi; we can define the notion 
of soundness for rules. Let r be a 27-rule in bP, i.e. r G Rs where tP(S) = 
(Lan|, Modi, 

Definition 14. The rule r is sound ijf for every S -context X and every S C 
Frm|(2f), (p G Frm|(2f), if ip is an immediate consequence of S via r in X, 
then{{X,f)\f€S}\^E (X,p). 

Using the validity satisfaction we can also easily define the semantic soundness 
and semantic completeness of the entailment system for tP given above. 

Definition 15. The entailment system Ent{'P) is semantically sound if from 
r h| (f> it follows that F Ihi; 4> for every signature 27, U C Sen|, and <f> G Sen|. 
R is semantically complete if the implication in the other direction holds. 

The following proposition verifies that our notion of entailment for bP is intu- 
itively “correct” . 

Proposition 2. The entailment system Ent{tP) is semantically sound, if and 
only if, all its rules are sound. 

4.2 Putting Extended Presentations Together 

The category of extended logical presentations eLogPres is not complete (for the 
same reasons as LogPres is not complete [10]). Therefore if we want to combine 
extended logical presentations, we will have to use a broader category ePres for 
this purpose^®. 

® Strictly speaking, the metaformula being the second component of has to be an 
immediate consequence of some of the metaformulae corresponding to the sentences 
{f)\ , . . . , 4>i-i} . This requires of course these premises and cf to have a common 
metacontext. 

® It means that there is an index k < i and a context morphism t •. X ^ Y in Ctxt|, 
where Ctxt^ = base(Frm^), such that Frm|(t)(y>fc) = p and fk = {X,pk) and 
4> = {Y,p). 

Limits in ePres are just limits in Pres extended by the combined inference rules. 
Therefore all the observations about combining ordinary presentations remain true 
fro the case of ePres (cf. [10]). 
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The interesting thing is, how the inference rules behave in the combination 
process. Let us take the following example of a pullback square in ePres: 

( G'. V ) 

JOL^LCl fOL 



( F', r' > 



(F,m) 












As it turns out, the presentation ‘JOL‘EQJ& logical and the resulting entailment 
system is semantically sound. However, no matter how complete both Ent{‘EQL) 
and Ent{!J-OL) are, their combination is not complete. For example let 

4> = {X,ti=t2 =k {P{ti) =k P{t2))) 

where P is a unary predicate symbol and ti’s are terms. Then 0 Ih (p, but obvi- 
ously (j) cannot be deduced from the empty set in Ent{!FOLEQ). The problem 
is that the nature of the interaction between the equality and other formulae 
is not described by any of the rules from the component presentations. So we 
cannot hope for a general “completeness preservation” result here. Fortunately, 
as one can show, the situation with soundness is better. 

Proposition 3. If the limit in ePres of a diagram D, consisting of extended 
logical presentations only, is logical, then it preserves the soundness of the com- 
ponent inference systems. 



5 Concluding Remarks 

We have extended the notion of context presentation from [9, 10] by augmenting 
it by inference rules. The resulting framework seems to cover many interesting 
examples, although — due to the lack of space — only two simple ones were briefly 
sketched here. 

For any extended presentation tP we have defined an entailment system Ent{‘P) 
generated by the rules of IP and the corresponding notions of soundness and 
completeness wrt. the context institution P{tP). 

Thanks to the completeness of the category ePres of extended presentations 
we can use the standard categorical “machinery” as a tool for building logi- 
cal systems with inference rules in a compositional way. Of course the process 
is rather far from being “automatic” (except for the simple cases). Assuming 
that both the components and the result are logical we can assure soundness 
preservation 

The framework as presented, although quite powerful already, does not allow 
rules with schematic substitution such as the induction principle for example. 
We believe that adding them is possible and moreover, since the notion of sub- 
stitution is a first-order citizen in context presentations, the extended framework 
should enjoy analogous meta-properties as the ones discussed above. 
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A precise relationship between our approach and the “fibred parchment ap- 
proach” presented in [2] is yet to be established. One difference is of course the 
treatment of variables and quantifiers, where our approach seems to be more 
uniform and general (e.g. it admits open formulae and substitutions as first-class 
citizens). The two approaches also differ in the assumed structure of the alge- 
bra of truth values, where we follow the model-theoretic pachments approach [8], 
whereas [2] uses a Tarskian closure operation. 

Another important difference concerns the problem of completeness preser- 
vation. As we have seen in Section 4, in our approach completeness might be 
lost in the process of combination, whereas [2] contains a suitable completeness 
preservation result. The reason for the seeming discrepancy is the notion of full- 
ness adopted in [2], which allows to keep the completeness of the resulting logic. 
In a sense, it comes for the price of obtaining a “non-standard” result how- 
ever. For example, even at the semantical level, the combination of (full versions 
of) propositional modal logic and first-order logic as described in [2] does not 
coincide with the usual first-order modal logic. The solution we have adopted 
follows a more “traditional” interpretation, where although the completeness 
might be lost, the logic obtained as the result of the combination seems to (at 
least) semantically coincide with the “intended one” . 
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Abstract. Monads have been recognized by Moggi as an elegant device 
for dealing with stateful computation in functional programming lan- 
guages. In previous work, we have introduced a Hoare calculus for partial 
correctness of monadic programs. All this has been done in an entirely 
monad-independent way. Here, we extend this to a monad-independent 
dynamic logic (assuming a moderate amount of additional infrastruc- 
ture for the monad). Dynamic logic is more expressive than the Hoare 
calculus; in particular, it allows reasoning about termination and total 
correctness. As the background formalism for these concepts, we use the 
logic of HasCasl, a higher-order language for functional specification 
and programming. 



Introduction 

One of the central concepts of modern functional programming is the encapsula- 
tion of side effects via monads following the seminal paper [8] . In particular, state 
monads are used to emulate an imperative programming style in the functional 
programming language Haskell [20] . Monads can be used to abstract from a par- 
ticular notion of computation, since they model a wide range of computational 
effects: e.g., stateful computations, non-determinism, partiality, exceptions, in- 
put, and output can all be viewed as monadic computations, and so can various 
combinations of these concepts such as non-deterministic stateful computations. 

Moggi [8] has suggested a Hoare calculus for a state monad with state inter- 
preted as global store. We have generalized this in [17] to a monad-independent 
Hoare calculus. However, Hoare logic in general is concerned only with partial 
correctness and does not allow reasoning about termination or total correctness. 
The right framework for studying the latter is dynamic logic as introduced in [13]. 
Here, we examine the infrastructure that is needed in order to develop dynamic 
logic in a monad-independent way, and show that this does indeed make sense 
when instantiated to the usual monads mentioned above. 

The formalism is embedded into the logic of HasCasl, a higher order lan- 
guage for functional specification and programming based on the first order al- 
gebraic specification language Casl [1,3]. This allows expressing programs and 
their expected properties within one and the same language, so that we obtain a 
unified interpretation of dynamic logic, where formulas consist of programs and 
logical expressions. 

Related work includes evaluation logic, with its two rather different semantics 
as defined by Pitts [10] and Moggi [9], respectively. The approach of [10] is local, 
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but depends additionally on a hyperdoctrine over the monad. The semantics 
of [9] is given entirely in terms of the monad, but has a global nature. We 
use the term ‘dynamic logic’ to emphasize that our approach is local; however, 
unlike in [10], we require no structure beyond the monad, thus reconciling the 
approaches of [10] and [9]. 

1 HasCasl 

The language HasCasl has been introduced in [16] as a higher order extension of 
Casl, based on the partial A-calculus. We give a brief summary of the language. 

Any HasCasl specification determines a signature consisting of classes, 
types, and operations, and associated axioms that the operations are required 
to satisfy. Basic types are introduced by means of the keyword type. Types may 
be parameterized by type arguments; e.g., we may write 
var a : Type 
type List a 

and obtain a unary type constructor List. There are built-in type constructors 
(with fixed interpretations) _ x _ for product types, _ — >■?_ and _ — _ for 
partial and total function types, respectively, Pred _ for predicate types, and a 
unit type Unit. 

Next, an operator is a constant of some type, declared by 
op f:t 

where t is a type. Since types may contain type variables, operators can be 
polymorphic in the style of ML. 

From the given operators, we may form higher order terms: a term is either a 
variable, an application, a tuple, or a A-abstraction. Such terms may be used in 
axioms formulated, to begin, in what we shall call the external logic. This logic 
offers the usual logical connectives (conjunction, negation etc.) as well as uni- 
versal and existential quantifiers, where the outermost universal quantifications 
may also be over type variables, strong and existential equality denoted by = 
and =, respectively, and definedness assertions def a (the latter feature and the 
distinction between the various equalities are related to partial functions; cf. [1] 
for a detailed discussion) . 

The semantics of a HasCasl specification is the class of its (set-theoretic) 
intensional Henkin models: a function type need not contain all set-theoretic 
functions, and two functions that yield the same value on every input need 
not be equal; see [16] for a discussion of the rationale behind this. If desired, 
extensionality of models may be forced by means of an axiom expressible within 
the language. 

A consequence of the intensional semantics is the presence of an intuitionistic 
internal logic that lives within A-terms. One can specify an internal equality 
(for which the symbol = is built-in syntactical sugar) to be used within A-terms, 
which then allows specifying the full set of logical operations and quantifiers of 
intuitionistic logic; this is carried out in detail in [16]. There is built-in syntactical 
sugar for the internal logic, invoked by means of the keyword internal which 
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signifies that formulas in the following block are to be understood as formulas 
of the internal logic. 

By means of the internal logic, one can then specify a class of complete 
partial orders and fixed point recursion in the style of HOLCF [14] . On top of 
this, syntactical sugar is provided that allows recursive function definitions in 
the style used in functional programming, indicated by the keyword program. 

HasCasl supports type classes. These are declared in the form 

< class C 

and are to be understood as subsets of the syntactical universe of all types. 
Types as well as type variables can be restricted to belong to an assigned class, 
e.g. by writing 

type t : C 

In particular, axioms and operators may be polymorphic over classes. Classes 
may be subclasses of each other, and they may have generic instances. By 
attaching polymorphic operators and axioms to a class, one achieves a similar 
effect as with Haskell’s type classes. 

In a similar vein, one can add constructor classes to HasCasl. They can be 
interpreted as predicates on the syntactical universe of abstracted type expres- 
sions (also called pseudotypes), such as Aa : Type • a — >■? List a. As for type 
classes, there are constructor subclasses; types, operators, axioms may be poly- 
morphic over constructor classes; and this polymorphism is semantically coded 
by collections of instances. A typical example of a constructor class is the class 
of monads (see Figure 1). 

In summary, HasCasl is a language that allows both property-oriented spec- 
ification and functional programming; executable HasCasl specifications may 
easily be translated into Haskell programs. 

2 Monads for Computations 

On the basis of the seminal paper [8], monads are being used for encapsulating 
side effects in modern functional programming languages; in particular, this 
idea is one of the central concepts of Haskell [5] . Intuitively, a monad associates 
to each type A a type TA of computations of type A; a function with side 
effects that takes inputs of type A and returns values of type B is, then, just 
a function of type A — >■ TB. This approach abstracts away from particular 
notions of computation such as store, non-determinism, non-termination etc.; a 
surprisingly large amount of reasoning can in fact be carried out independently 
of the choice of such a notion. 

More formally, a monad on a given category C can be defined as a Kleisli 
triple T = (T, t], J*), where T : Ob C — Ob C is a function, the unit 77 is a family 
of morphisms rjA '■ A ^ T A, and _* assigns to each morphism f : A ^ TB a 
morphism f* : TA ^ TB such that 

V*A = idTA, f*VA = f, and g* f* = {g* f)* ■ 

This description is equivalent to the more familiar one via an endofunctor with 
unit and multiplication [7]. ‘Functions with side effects’ are then modeled in 
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the Kleisli category of T, which has the same objects as C and C-morphisms 
A ^ TB as morphisms from A to B. 

In order to support a language with finitary operations and multi-variable 
contexts, one needs a further technical requirement: a monad is called strong if 
it is equipped with a natural transformation tA,B '■ A x TB ^ T{A x B) called 
tensorial strength, subject to certain coherence conditions (see e.g. [8]); this is 
equivalent to enrichment of the monad over C [8]. 

Example 1 ([8]). Computationally relevant monads on Set include 

— stateful computations with possible non-termination: TA = {S — >■? {A x S)), 
where S' is a fixed set of states and _ — >■? _ denotes the partial function type; 

— (finite) non-determinism: TA = Vfin{A), where Vfin is the finite power set; 

— exceptions: T A = A + E, where if is a fixed set of exceptions; 

— interactive input: TA = ^7. A + {U ^ 7), where C/ is a set of input values; 

— non-deterministic stateful computations: TA = (S — >■ Vfin{A x S)); 

— continuations: TA = {A ^ R) ^ R, where i? is a type of results. 

Other typical examples of monads are the list monad, where TA is the type of 
lists over A, and the free Abelian group monad, where TA consists of expressions 
of the form with G Z and Oi € A for i = 1 , m. 

Figure 1 shows a specification of monads in HasCasl. As an example of 
an instance for this type class, a specification of the state monad is shown in 
Figure 2 . Since the operations of the monad are functions in the model, the 
monads thus specified are automatically strong, strength being equivalent to 
enrichment. The notation is (almost) identical to the one used in Haskell, i.e. the 
unit is denoted by ret, and the operator _ » _ denotes, in the above notation, 
the function (x, f) i-A- f*{x). This specification is the basis for a built-in sugaring 
in the form of a Haskell-style do-notation: for monadic expressions Ci and 62, 

do X ei; 62 

abbreviates ei :s> Xx • 62. Further details will be discussed below. 

A slight complication concerning the axiomatization arises from the fact that 
partial functions are involved. Note that the second unit law f*r] = f has been 
replaced by two axioms, one stating that the said equation holds on the domain 
of /, and another one stating that f*r], while possibly having a larger domain 
of definition than /, behaves like / under binding. This ensures that standard 
monads such as the state monad with its usual definition (under which /* is 
always a total function; cf. Figure 2 and the recent discussion on [ 4 ]) are ac- 
tually subsumed, while leaving the essence of the proposed calculus untouched. 
Moreover, for the sake of simplicity of the further treatment, we have included 
the mono requirement (stating that ret is injective) in the specification. 

Reasoning about a category equipped with a strong monad is greatly facil- 
itated by the fact that proofs can be conducted in a meta-language introduced 
in [8], which we here adapt to deal with partial functions. Although we do not 
a priori work in a category (this would require working out the details of how 
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spec Monad = InternalLogic then 
class Monad : Type — >■ Type { 
vars T : Monad; A, B, C, D : Type 
ops _-3> T A ^ T B) T B; 

ret : A ^ T A } 

internal { 

forall x,y \ A; y : T A; f : A — >■? T B; g : B — >■? T C; a: A — >■? B 

• def if x) ^ ((ret x) f) = f x 

• 2 / S> (Xx ■. A • ret (a x) f) = y (Xx : A • f (a x)) 

. (?/ » ret) = y 

• ((y ^ f) ^ g) = (y ^ (>'X ■■ A . f X g)) 

• ret X = ret y ^ x = y 

} 



Fig. 1. The constructor class of monads 



spec State = Monad then 

type instance ST : Monad 
vars A, B : Type 

internal { 
types S; 

ST A :=S -^7 (A X S) 
forall x: A; y : ST; f : A ^7 ST B 

• ret X = Xs : S • (x, s) 

• (y ^ f) = : S • let (sS, z) = y si in f z s2 } 



Fig. 2. Specification of the state monad 



the specification of monads induces a monad on the classifying category as con- 
structed in [15]), the meta-language is still applicable here, as its logic can be 
obtained from the axioms in Figure 1. The crucial features of this language are 

~ A type operator T; terms of type TA are called (A- valued) programs or 
computations ; 

— an polymorphic operator ret : A ^ TA corresponding to the unit; 

— a binding construct, which we here denote in Haskell’s do style: 

do a; ^ p; q 

is interpreted by means of the tensorial strength and Kleisli composition [8] ; 
this is equivalent the do-notation introduced above. Intuitively, do a; ^ p; q 
computes p and passes the results on to q. Binding satisfies an associative 
law and three unit laws corresponding to the axioms in Figure 1. We denote 
nested do expressions like do a: ^ p; do p ^ g; . . . by do x ^ p; p ^ 
q; .... Repeated nestings such as do x\ pi, . . . ,Xn Pn', q are denoted 
in the form do a; •«— p; q. Term fragments of the form a: •<— p are called 
program sequences. Variables Xi that do not appear later on may be omitted 
from the notation. 
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On top of a monad, one can generically define control structures such as 
a while loop. Such definitions require general recursion, which is realized in 
HasCasl by means of fixed point recursion on epos. Thus, one has to restrict to 
monads that allow lifting a epo structure on A to a epo structure on the type TA 
of computations in such a way that the monad operations become continuous. 
This is laid out in detail in [17]. 

3 The Generic Approach to Side Effects and State 

We now discuss monad-independent notions of program properties such as side- 
effect freeness and determinism, as well as logical aspects of boolean- valued pro- 
grams with effects. These concepts will be used to obtain a monad-independent 
notion of state, which forms the foundation for the interpretation of the box and 
diamond operators of dynamic logic introduced in the next section. The notions 
of (deterministic) side-effect freeness and validity of formulas with effects have 
been introduced in [17]; the concepts of termination, state, and state discloser 
are new. We will phrase all definitions in terms of the meta-language for monads, 
using the fixed notation T for the monad, T for the associated type constructor 
etc. throughout. 

Definition 2. A program p is called side- effect free if 

(do y <— p; ret*) = ret * (shorthand: sef{p)), 
where * is the unique element of the unit type. 

Side-effect free programs have the expected properties: 

Lemma 3. If p is side-effect free, then 

(do p; q) = q 

for each program q, provided that q is defined. Moreover, if p,q : Tl, then 

(do g; p) = q. 

Example 4. A program p is side-effect free 

— in the state monad iff p terminates and does not change the state; 

— in the non-determinism monad iff p always has at least one possible outcome; 

— in the exception monad iff p terminates normally; 

— in the interactive input monad iff p never reads any input; 

— in the non-deterministic state monad iff p does not change the state and 
always has at least one possible outcome (i.e. never gets stuck). 

Remark 5. A program p is called stateless if it factors through ret, i.e. if it is 
just a value inserted into the monad. For example, in the state monad, stateless- 
ness means that the program neither changes nor reads the state {p is stateless 
iff p exists in the sense of [8]). Stateless programs are side-effect free, but not 



vice versa. 
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We will want to regard programs that return truth values as formulas with 
side effects in a modal logic setting. A basic notion we need for such formulas is 
that of global validity, which we denote explicitly by a ‘global box’ HI : 

Definition 6. Given a term (p of type Tf2, where Q denotes the type of internal 
truth values, HI (p abbreviates 



, 5 ^ = do (/>; ret T. 

If p is side-effect free, then H p simplifies to (^ = ret T; otherwise, the formula 
above ensures that the right hand side has the same side-effect as p. 

Remark 7. Note that the equality symbol = in the definition of the formula 
HI p above is strong equality. In particular, in the classical case HI ^ is true if p 
is undefined. 

Example 8 . In the monads of Example 1, satisfaction of HI amounts to the 
following: 

— in the state monad: successful execution of p from any initial state yields T ; 

— in the non-determinism monad: p yields at most the value T (or none at all) 

— in the exception monad: p yields T whenever it terminates normally. 

— in the interactive input monad: the value eventually produced by p after 
some combination of inputs is always T ; 

— in the non-deterministic state monad: execution of p from any initial state 
yields at most the value T ; 

In order to perform proofs about the logic introduced below, we require an 
auxiliary calculus for judgements of the form [x P]g P, which intuitively state 
that p holds after x ^ p, where p is an actual formula of the internal logic 
(i.e. p : f2). The idea is to work with formulas that have all state-dependence 
shoved to the outside, so that the usual logical rules apply to the remaining part. 
Formally, [x ^ p]a P abbreviates (slightly deviating from [17]) 

(do X p; ret (a;, </>))= do x p; ret(a;, T). 

The degenerate case []g4> is (by the mono requirement) equivalent to p. Note 
that [x p]y -fr- q\g p is properly weaker than [a: ^ P]g [y <— q]G P- 

The intuition behind this definition is the same as for HI . Indeed, in many 
cases, [x P]g P is semantically equivalent to 

HI do X ^ p] ret p] 

monads for which this equivalence holds will be called simple. A monad with 
rank over Set, presented by a signature and equations, is simple if, in each 
equation, the two sides contain the same variables; this covers e.g. the exception 
monad, the non-determinism monad, and the list monad. Moreover, the usual 
state monads are simple, although their known equational presentation [ 11 ] does 
not satisfy the variable requirement. In general, however, HI do x p] vetp 
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(AI) 



[a; -s- p]g <?i = ?2 

[x<-p]a'ip [x<-P]g(I) , , [x <- p;y <- qi;z ^ f]a<j) 

(“iP) (e<l) 



[x <- p]g 4> 



[x <-p]gV> 



[® g2;« r]G<l> 



(app) 



[x ^ pIgcP 

y i FV{<t>) 



(pre) 



[y ^ g]c (t> 



[x p;y q]G<l) [a;<-p;j/<-g]G 

[. . ,;x <- p-,y <- q-,z <- f]G4 



iv) 



(ctr) 



[. . . ; y (do a: p; <j); a r]a < 



[x <— ret oJg X = a 
{x i FV{<p) U FV{r)) 



Fig. 3. The auxiliary calculus 



is properly weaker than [a; t— P]g4'- E.g., in the free Abelian group monad, 
one has HI do x (a — &); ret_L, but not [x t— (a — &)]g-L. Similarly, the 
continuation monad fails to be simple. For purposes of presentation, we shall 
henceforth assume simplicity of the monad at hand; this can, however, be avoided 
at the price of having slightly more complicated definitions. 

In Figure 3, double lines indicate that a rule works in both directions. The 
set of free variables of p is denoted by FV{p). Rule (pre) is subject to the usual 
variable condition on x (i.e. x does not occur freely in undischarged assumptions). 
The calculus is sound: 

Theorem 9. If [y <— q]a is deducible from [x <— p]g 4> by the rules of Figure 3, 
then {[x ^ p]g 4>) => {[v ^ qIg if) holds in the internal logic. 

An important derived rule is 



(sef) 



[x p\ q-, z G- r]G (f 
[x -^p^z G- f]G (f 



isefiq)). 



For side-effect free programs, we can now express determinacy: 

Definition 10. A side-effect free program p is deterministically side-effect free 
(dsef) if 

[x p]y G- p]g X = y (shorthand: dsef{p)). 

Stateless programs are dsef. In most of the running examples, all side-effect free 
programs are dsef, with the unsurprising exception of the monads where non- 
determinism is involved. In these cases, a side-effect free program is dsef iff it is 
deterministic. The subtype of T A formed by the deterministically side- effect free 
computations will be denoted by DA throughout. 

Deterministically side-effect free subterms of programs can be handled nota- 
tionally in a more relaxed way. The basis for this is the following: 
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Lemma 11. Let r he a program, and let p and q be dsef. Then 

(i) (do X p;y p; r) = do x p; r[y/x], and 
(a) (do X <— p;y ^ q; r) = do y ^ q; x ^ p; r. 

Corollary 12 (Structural rules). Let (f> : f2 be a formula, and let p and q be 
dsef. Then 

(i) X ^ p;y ^ p; z ^ f]G (f) ^ X ^ p; z ^ r[y/x]]G <l>[y/x]-, 

(a) x^p;y ^ q-,...]G(l))^[. ■■;y ^ q;x^p;...]G(l); 

Since side-effect freeness amounts to ‘context weakening’, we can thus safely 
allow terms and formulas in which terms of type DA occur in places where a 
term of type A is expected. More precisely, if a; = (xi, . . . , x„) is a list of variables 
of types Ai, . . . , An, then we admit terms q[x/p] where the Xi are substituted by 
terms pi : DAp, such a term is just an abbreviation for do x ^ p; q, with well- 
definedness guaranteed by Lemma 11. Similarly, [y p- q\G(j)[x/p] abbreviates 
[y q-,x P- p]g (f, with well-definedness guaranteed by Corollary 12. 

A further abstraction concerns the termination of programs: 

Definition 13. A program p terminates if 

[x g; p] G </> implies [a; ^ g] G </> 

for each program sequence x ^ q and each (f>. 

E.g., in the non-determinism monad, p terminates iff p yf 0. In the state monad, 
p : S — >■? {A X S) terminates iff p is total. All side-effect free programs terminate. 
We can now give a monad-independent definition of state: 

Definition 14. A state is an element s : T1 such that s terminates and such 
that there exists, for each dsef program p : DA, a (necessarily unique) element 
a : A such that 

(do s; p) = do s; ret a. 

A state s is called forcible if, for each terminating program p, 

s = do p; s. 

Example 15. In our running examples, the notions of state and forcible state 
explicate as follows: 

— the states of the state monad are the constant state transformers A s : 
S • (*,t), where t £ S. All of these states are forcible. Of course, the set 
of constant state transformers is isomorphic to the set S, i.e. the definition 
does indeed capture the original states. The situation is essentially the same 
in the non-deterministic state monad, where the states are the constant de- 
terministic state transformers As : S • {(*,t)}. 

— Both the exception monad and the non-determinism monad have only one 
state (‘running’), namely the unique terminating element of T1 — i.e. * in 
the exception monad, and {*} in the non-determinism monad. In both cases, 
this state is forcible. 
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— The states of the interactive input monad are the elements of Tl, i.e. the 
[/-branching trees with trivially labelled leaves. None of these states are 
forcible, in accordance with the intuition that one cannot unread input. 

We will henceforth denote the type of forcible states by S. {S can be thought of 
as being defined as a subtype of Tl.) 

The main result of this section is a structure theorem concerning the type 
DA of deterministically side-effect free programs. This theorem will be applied 
to the case of dsef formulas in Section 4. It relies on the existence of a program 
that ‘gives away’ the present state: 

Definition 16. A dsef program d : DS is called a state discloser if 

do X d; X 

is side-effect free (i.e. equal to ret *, thus even stateless). 

Example 17. In monads with only one forcible state s, such as the non- 
determinism monad or the exception monad, there is, trivially, a state discloser 
in the shape of the term ret s. In the state monad, we may identify the set of 
forcible states with the originally given set S of states (cf. Example 15); then, 
the element 

A s : A • (s, s) 

of DS is a state discloser. This works analogously for the non-deterministic 
state monad. In this sense, the notion of state discloser axiomatizes the lookup- 
operator mentioned in [9]. The interactive input monad does not have a state 
discloser, since here S and, hence, TS are empty. 

A final prerequisite is the introduction (only for purposes of meta-reasoning) of 
a unique description operator into the internal language: the term to : A • (j) 
will denote the element a that satisfies (j) ii a, unique such element exists, and 
will otherwise be undefined. By results of [18], this is a definitional language 
extension and thus unproblematic. 

The announced structure theorem confirms the intuition that deterministi- 
cally side-effect free computations are essentially state-dependent values: 

Theorem 18. If T has a state discloser d, then for each type A, 

DA^iS^A), 

where the isomorphism maps y : DA to 

Xs : S • ta : A • (do s; y = do s; ret a) 
and its inverse maps f : S ^ A to 



do X ^ d; ret f{x). 
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By Example 17, this theorem applies to most of our running example monads, 
except the interactive input monad which does not have a state discloser (and 
for which indeed the structure theorem fails to hold, since there are no forcible 
states), and the continuation monad. 

Remark 19. By the above theorem, the state discloser is unique if it exists, 
being the element of DS that is mapped to the identity on S under the isomor- 
phism DS^(S^S). 

4 Interpreting Dynamic Logic 

The approach to Hoare logic pursued in [17] was partly driven by the concept 
of interpreting formulas and programs within one and the same framework, that 
is, in the HasCasl internal logic, respectively in the meta-language over an 
arbitrary monad. This required giving a semantics to Hoare triples {</>} p {ip}', 
for this purpose, a notion of global validity was sufficient. By contrast, formulas 
of dynamic logic allow a nesting of modal operators of the nature ‘after execution 
of p’ and the usual connectives of first order logic. This means informally that 
the state is changed according to the effect of p within the scope of the modal 
operator, but is ‘restored’ outside that scope. E.g., in a dynamic logic formula 
such as 

[p](p [<l]ip, 

the subformulas <p and ip are evaluated in modified states, but [p] (p and [q] ip are 
evaluated in the same state. 

This means that the semantics of [p] <p must be side-effect free, although p 
may have side-effects that affect <p. Moreover, one will expect that a formula 
evaluates to a deterministic truth value (although p may be non-deterministic) . 
Thus, it is reasonable to require that formulas are interpreted as deterministically 
side effect-free Q-valued programs. We state explicitly 

Definition 20. A formula (of dynamic logic) is a term (p : Df2. 

(Recall here the the notation for dsef subterms introduced after Corollary 12.) 

The question is now if Df2 has enough structure to allow the interpretation of 
the diamond and box operators (p) and [p] of dynamic logic. The interpretation 
can be introduced axiomatically in a rather straightforward manner. To begin, 
observe that I? 17 is made into a partial order by putting 

(p <lp 4=^ {(p => Ip) 

for (p, Ip : Di2. The crucial requirement for dynamic logic is, then, the existence 
of lower and upper deterministically side-effect free approximations for 17-valued 
program sequences: 

Definition 21. We say that T admits (propositional) dynamic logic if there 
exist, for each (p -.TQ, a formula □</> : 7717 such that 



([x ^ p]GXi □(/>) 



([x <- p;a<- <P]g Xi ^ o) 
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for each program sequence x ^ p containing Xi : fi and, dually, a formula 
<>4 > : Df2 such that 

{[x P]gO(I>^ Xi) 4=^ {[x p-,a 4>]Ga^ Xi). 

T admits quantified dynamic logic if, additionally, DQ is a complete lattice. In 
this case, joins and meets in Dfi are denoted by \J and /\, respectively. 

(N.B.: since the internal logic is in general intuitionistic, one cannot define {y 
q) as ->[y •<— q] -■.) The formulas Ofi and, dually, are uniquely determined (in 
contrast to the modalities in [10], which are part of the interpretation structure): 

Lemma 22. //T admits dynamic logic, then is the greatest formula (w.r.t. 
the ordering introduced above) i) : DQ such that 

[a Ip; b (I>\g 0 , ^ b. 

If Theorem 18 is applicable, then DQ is order-isomorphic to S' — >■ 17 equipped 
with the pointwise order, hence a complete lattice with joins and meets formed 
pointwise. It follows that there exist, for <p :TQ, (unique) formulas Ufi and Q(p 
that satisfy the properties in Lemma 22. Under two weak additional assumptions 
(hoped to be dispensed with in the future), we can prove that in this case, T 
admits dynamic logic. 

Definition 23. A state s : S is called logically splitting if, for all program 
sequences x ^ p and y <— q and for each formula (p, 

[x ^ p;s;y ^ q]G (p implies [x ^ P]g [s; y ^ P]g <P- 

(The converse implication holds universally.) In the running examples, all forcible 
states are logically splitting; we conjecture that this is in fact always the case. 

Definition 24. A monad is logically regular if, for each <p -.TQ, 

[a ^ (P]g (([6 ^ (P]g b) a). 

Classically, all monads are logically regular. We conjecture that this holds also 
in the intuitionistic case. 

Theorem 25. IfT is logically regular and has a state discloser, and if all forcible 
states are logically splitting, then T admits quantified dynamic logic. 

Example 26. In those of our running example monads that have only one 
forcible state, □(() and <>(p are just truth values. E.g., in the exception monad, 
is true iff <p either throws an exception or returns T, while <>(p is true iff (p 
returns T. In the nondeterminism monad, □(() holds i^ (p G {T}, and 0(() holds 
iff T G 

In the various state monads, □</> and <>(p depend on the state s. E.g., in the 
non-deterministic state monad, Ucp holds in a state s iff (p{s) C {T} x S', and 
<>(p holds in s iff there exists s' such that (T, s') G (p{s). 
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Remark 27. The interactive input monad does admit quantified dynamic logic, 
although it does not have a state discloser. In fact, it is unclear whether there 
are monads that fail to admit dynamic logic; a good candidate for such a coun- 
terexample is the continuation monad. This is subject of further research. 

If T admits dynamic logic, then one has the usual syntax of dynamic logic 
with the modal operators given by 

[a; p] (/>:=□ do a; ^ p; (p and {x ^ p)4> := Odo x ^ p; <f>, 

and the logical connectives defined by substitution of dsef terms as explained 
after Corollary 12. Actual truth values, i.e. terms of type 17, appearing in dy- 
namic logic formulas are implicitly cast to DH via ret; it is easy to see that this 
is compatible with the interpretation of the logical connectives and hence does 
not lead to confusion. If T admits quantifies dynamic logic, then one can also 
interpret universal and existential quantification by putting 

Vx ‘ A • <^(x) and 3x ‘ A • <^(x) = V (pix). 

x:A x:A 

Note that, as in the monad-independent Hoare logic of [17], we admit program 
sequences inside the modal operators in order to accommodate reasoning about 
intermediate results. A side benefit of this (e.g. in comparison to [10]) is the 
possibility of expressing natural axioms concerning composite sequences (Axioms 
(seqD) and (seqO) in Figure 4). 

In quantified dynamic logic, the modal operators are interrelated in a way 
analogous to quantifiers in intuitionistic logic: 

Theorem 28. IfT admits quantified dynamic logic, then Op is expressible as 

tJa-. Q • □((/) a) ^ a, 

Validity of formulas is, as usual in modal logics, defined via the global box: 
Definition 29. A formula p : DQ is valid if IU(() holds, i.e. ii p = retT. 

Figure 4 shows a generic Hilbert style proof calculus for dynamic logic (we 
shall not be concerned with deduction in quantified dynamic logic here). The 
necessitation rule is subject to the usual constraints on the variables x. The first 
five axioms are the standard axioms of the AT-fragment of intuitionistic modal 
logic as given e.g. in [12, 19], with a slight variation of the third axiom — the 
usual form ~'(p)T is a special case of the second of the two dual forms given. All 
intuitionistic propositional tautologies are implicitly included here. Moreover, 
there are four axioms concerning composition of program sequences. The last 
three axioms concern programs that enjoy particular properties as defined above; 
these properties are side conditions that are expected to be discharged outside 
the calculus. However, the axioms are applicable to stateless programs ret a 
without further ado, so that the two generic program constructors (sequential 
composition and return) are covered. 
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As in the case of the generic Hoare rules of [17], axioms that deal with monad- 
specific program constructs are necessarily missing here; typical examples include 
the nondeterministic choice and iteration constructs of standard dynamic logic. 
Such specific formulas come in via the specifications of particular monads; in fact, 
they often turn out to be a good choice for actual axioms of the specification. 



Rules: 



Axioms: 



(nec) 






(Kl) 

(K2) 

(K3D) 

(K30) 

(K4) 

(K5) 

(seqD) [x <— 
(seqO) (x <r- 
(ctrD) [x ■«— 
(ctrO) \x <- 
(dsefQ) [x <— 
(dsefO) (a; <- 
(tm) (p)T 
(sefD) [p] 4> 
(sefO) 

(ssef) [p] 4> 



\X ^p]{(j)^ ip) 
[X ^p]{(j)^ ip) 
ret 4> [p] ret <j) 

(p) ret 0 ret 0 
{x -i- p){cf)V ij) -- 
((x p}<^ ^ [x 

[x ■<- p; y ■<- g] (/> 
(x<-p;y<- 
[* t- p; y ^ 
{x<-p;y<- 
[x<-p\(t) 4= 
p)(f) 



{x ■ 



■p](j)-- 
- P)(!> ■- 



(mp) 



{x ■ 



4> 



ip 



■ p] V> 

- p)i> 



q)<j) < 

g]<t> -- 
g)<i> ^ {y 

<?i[x/p] 

(f)[x/p] 



{{x-(-p)ct)V (x-i-p)ip) 

p] V>) => [* ^ p] {4’ ^ 4) 
[x p][y q] 4 
{x^p){y 
[p <— (do X 
(do X - 



(p)4 



q)4 

-p; q)](j> {xi FV[(j>)) 
p; q))(j> {x i FV[(j>)) 

((if p is dsef) 

(if p is dsef) 

(if p terminates) 

(if p is sef) 

(if p is sef) 

(if p is strongly sef) 



Fig. 4. The generic proof calculus for propositional dynamic logic 



The proof calculus is sound: 

Theorem 30. Let T admit dynamic logic. If a formula if can be deduced from 
formulas ^i, . . . , by means of the rules of Figure f, then validity of the 4i 
implies validity of if, i-C- A^4i \M\if- 

The proof relies on the auxiliary calculus of Figure 3. Completeness of the cal- 
culus is the subject of further research. 

Remark 31. If T is simple, then the converses of Axioms (ctrD), (ctrO) hold. 

5 From Partial to Total Correctness 

Classically as well is in the monad-independent setting, dynamic logic subsumes 
Hoare logic: The monad-independent Hoare triples introduced in [17] can be 
expressed in dynamic logic as 
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{(j)} x^p {il)} : 4=^ p] ■0). 

An obvious expressive advantage of dynamic logic over Hoare logic is its local 
nature — i.e. formulas hold locally, in any given state. By contrast, Hoare triples 
only provide global axiomatizations, where each formula is separately quantified 
over all states. Beyond this, a crucial feature of dynamic logic is its ability to 
express termination. 

In the Hoare calculus, non-termination can be expressed by stating that the 
postcondition _L holds. However, Hoare logic is too weak to express termina- 
tion, while the formula (p)T of dynamic logic indeed states that p terminates 
in the monad-independent sense defined above (which has the expected mean- 
ing in concrete monads). We now can give a meaning to Hoare triples for total 
correctness by interpreting them as partial correctness plus termination: 



[ 0 ] X ^ p [ 0 ] : 4=^ (0 => {{x ^ p)T f\[x ^ p] 0 )). 

The iteration rule from [17] {iter b p e iterates p : A ^ T A, starting from the 
initial value e : A, while b : A ^ T{bool) is satisfied) can be adjusted to cope 
with total correctness, along the lines of [6]: 



(iter-total) 



X Am r 

t:A^TB 

H X i? — >■ 17 is well-founded 

r \> [(f> Ab X A ret(*(t x) = z)] y <— p x [0[x/y] A ret(*(te) < z)] 
r l> [0[x/e]] y ^ iter b p e [0[a;/j/] A ~<{b y)] 



while the other rules can be carried over from the Hoare calculus for partial 
correctness. 

Using the monad-independent Hoare calculus, we have, for instance, axiom- 
atized the join operator in the non-determinism monad by 



{0} X ^ p {Xi} A{(j)} X ^ q {X 2 } {0} a: ^ p\\q {xi V X 2 }- 

With dynamic logic, a more fine-grained specification of non-determinism is pos- 
sible: 



{ph)<P ((p)'?^'V (g)0) 

[p|g]0 (b]0A [g]0) 

From the second axiom, we easily get the Hoare rule above by taking 0 to be 
Xi VX 2 - But we get more than that: the first axiom implies that p^q terminates if 
and only if p\ or p2 terminates. This is not expressible in Hoare logic. Moreover, 
it is now easy, using the rule (iter-total) above, to prove termination of the non- 
deterministic variant of Euclid’s algorithm for computing the greatest common 
divisor (the partial correctness of which has been proved as an example in [17]). 

6 Conclusion 

Building on results on monad-independent reasoning about program properties 
developed in [17], we have designed a monad-independent dynamic logic and a 
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representation of this logic in the internal logic of HasCasl, i.e. essentially in 
intuitionistic partial higher order logic. The main problem here was to provide 
a monad-independent semantics of the dynamic modal operators. As a solution, 
we have introduced an axiomatic method which imposes additional constraints 
on the monad. This method is complemented by results that, under suitable con- 
ditions, allow the extraction of abstract states from a given monad, giving rise 
to a structure theorem for ‘dynamic truth values’ which guarantees the inter- 
pretability of the modal operators. The structure theorem is both of independent 
interest and the basis for further research into the question of whether a monad 
can generally be decomposed into aspects of input, output, and state. 

Given the semantics of the modal operators, we have introduced a generic 
proof system for dynamic logic over an arbitrary monad, where the rules and 
axioms are proved as lemmas about the encoding. We have thus ended up with a 
logic that allows dynamic reasoning about computations with side effects, leaving 
the actual nature of the side effects open. In practice, one will aim at performing a 
large amount of verification in this generic setting, and switch to instantiations 
of the calculus for particular monads only in the more detailed analysis. As 
an example, we have laid out how operations in the non-determinism monad 
can be axiomatized by means of dynamic logic formulas. A library of monad 
definitions in HasCasl will make extensive use of this axiomatization principle; 
the compositionality of such axiomatizations w.r.t. monad combination is subject 
of further research. 

One of the crucial features of dynamic logic is its ability to express termi- 
nation of programs. As an example application, we have shown how to obtain 
a termination rule for a generic iteration construct; i.e. not only partial cor- 
rectness, but also total correctness lends itself to monad-independent reasoning. 
This corroborates Moggi’s claim [8] that the logic of monads is the right setting 
for reasoning about computations with effects. 
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Abstract. This paper deals with stepwise development of systems based 
on rule-based approach. Modeling using this approach usually starts with 
a rough model of a system which is refined in further steps. This ap- 
proach is based on rules and transformations as known from theory of 
HLR systems. Preservation of certain system properties during this pro- 
cess is of importance. In the context of Petri nets the developed property 
preserving rules and transformations restrict the variety of modeling pos- 
sibilities to rehnement of the system by additional details. The concept 
for conceptual change and redesign of a part of the modeled system is 
of interest. Up to now the request for a large change of structure of the 
modeled system forced the redevelopment of the whole system from ori- 
gin. Otherwise the property preserving rules could not be employed and 
the tedious investigation of system properties had to be done for the 
final system. In this paper we describe the possibility of building new 
property preserving rules from other ones which are suitable for redesign 
of system’s parts. 



1 Introduction 

The incremental approach to development of system models has been investi- 
gated in many papers. Well accepted technique of the incremental development 
is the stepwise refinement of modeled system. This technique refines a coarse 
model of a system until the necessary level of detail is reached. The important 
question of a stepwise design is how to preserve certain system properties. Then, 
they need not to be checked repeatedly during the design of the system. This 
gives rise to the concept of property preserving development and redesign. The 
approach in this paper is based on transformations in High-Level Replacement 
Systems (HLR Systems) as introduced in [EHKPQla]. The Q-theory introduced 
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in [Pad96] extends the theory of transformations by property preserving refine- 
ment morphisms. The necessary notions from the theory of HLR systems are 
summarized in Section 2. 

The idea of a transformation N 2 in HLR systems uses the so-called 

double pushout approach as known from graph transformations. If such a trans- 
formation is extended by a property preserving morphism q assuring that cer- 
tain system property 4> is preserved then such a transformation is called Q- 
transformation. The general results concerning compatibility of Q-transforma- 
tions with categorical structuring techniques like union and fusion and other 
results including Church Rosser and Parallelism Theorems are available. 

Disadvantage of this approach is that it is not possible to completely redesign 
a part of your system and preserve certain system properties via transforma- 
tions if such a change is necessary from practical or other reasons. A stepwise 
refinement usually does not allow the change of the design concept because the 
refinement of the existing structure is allowed only. 

The property preserving system redesign is based on the following. Having 
two Q-transformations preserving certain properties, say the transformations 
A"o and A"o -^ 2 , there can be a new direct transformation N\ N 2 

constructed. 

If a system property 4> is respected and preserved by transformations Nq 
N i and TVq N 2 then as a logical conclusion, the property (j) is preserved 
by the transformation Ni A^ 2 - The newly derived transformation is called 
PB-induced transformation^ as its construction is based on pullbacks. The PB- 
induced transformations are formally introduced in Section 3. 

The major advantage of this approach is that it is possible to build up new 
property preserving rules and transformations according to old ones without the 
explicit definition of a property preserving refinement morphism. This allows 
switching from one design concept to another without restarting design of the 
system from the origin. 

An example of an application is liveness preserving transformations of Petri 
nets. We will discuss the application of this approach on the design and redesign 
of simple Producers-Consumers system in Section 4. 



2 Formal Framework of Net Model Transformation 

The idea of net transformation systems is one of the possible instantiations of 
the more general idea of high-level transformation systems (see [EHKPQlb]). In 
this section we summarize the necessary definitions and results. To present all 
the theoretical results in detail is beyond the scope of the paper. They can be 
found in the literature cited here. 

The next definition introduces rules, transformations and net transformation 
systems formally for a given category NET of low- or high-level nets. More about 
the underlying theory can be found in [PER95] and in [Pad99]. We will assume 

^ This is a different notion than pullback transformation of open graphs. 
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to have a suitable category NET of nets and net morphisms, i.e. a category 
satisfying so called HLR conditions stated in Appendix A. 

Definition 1 (Rules, Transformations, Net Transformation Systems). 

I r 

1. A rule p = {L < — K — > R) in a category NET consists of the nets L, 
K and R, called left-hand side, interface, and right-hand side, respectively, 

t R 

and two morphisms K — > L and K — > R with both morphisms l,r G M., 
a suitable class of injective morphisms in NET. 

2. Given a rule p = {L < — K R), a direct transformation G H from 
a net G to a net H is given by two pushout diagrams (1) and (2) in the 
category NET as shown below. 




The morphisms L G and R H are called occurrences of L in G and 
R in H , respectively. By an occurrence of rule r = {L < — K — > R) in a 
net G we mean an occurrence of the left-hand side L in G. 

In fact, the occurrence morphism m has to satisfy a specific condition, called 
gluing condition, in order to be able to apply the rule p to the net G. 

3. Given a category of nets NET together with a suitable class of injective 
morphisms A4, a net transformation system H = (S,V) in (NET, At) is 
given by a start net S G |NET|, and a set of rules V. 

I r 

Informally, a rule r = {L < — K — > R) is given by three nets L, K, and 
R. Moreover, AT is a subnet of both L and R expressed by the morphisms I 
and r. Application of a rule to the net G is a net model transformation of G. 
The transformation means replacing a subnet specified by the left-hand side of 
the rule with the net specified by the right-hand side. More precisely, we first 
identify the subnet L in G. Then we delete those parts of the subnet L which are 
not subnets of the interface net K . This results in an intermediate net G, where 
in a further step we add the difference of R and K to the preserved subnet G 
to obtain the transformed net H . In case the left-hand side is empty, we simply 
add the right-hand side to the first net. 

Although the net transformation framework is a suitable concept for stepwise 
development of systems, very often there is a need to consider more general 
morphisms for refinement or abstraction in addition. The main idea is to enlarge 
the category of nets by Q-morphisms in the sense of [Pad96] in order to formulate 
refinement/abstraction morphisms. 

More precisely, another category of nets QNET with a distinguished class of 
morphisms Q, called Q-morphisms, is employed. The category QNET enriches 
the net transformation system defined in (NET,AI) and yields the notion of 
Q-morphisms and Q-transformations. The class of Q-morphisms has to satisfy 
additional requirements called Q-conditions (see [Pad96]) to be adequate for 
refinement or abstraction. The formal definitions are given below. 
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Definition 2 (Class of Q-morphisms). Let QNET he a category, so that 
NET is a subcategory NET C QNET and Q a class of morphisms in QNET. 

1. The morphisms in Q are called Q-morphisms, or refinement/abstraction 
morphisms. 

2. The Q-morphisms must satisfy so called Q-conditions, namely closedness of 
Q, preservation of pushouts, and inheritance of Q-morphisms under pushouts 
and coproducts. 

Moreover, let O = {0‘‘)q^Q be an indexed class of adequate occurrence mor- 
phisms in QNET with respect to a refinement morphism q G Q. These occur- 
rence morphisms restrict applicability of rules as defined in Theorem 1 below. 

Definition 3 (Q- Rules and Q- Transformations). 

I r 

1. A (preserving) Q-rule (p, q) is given by a rule p = {L < — K — ^ R) in NET 
and a Q-morphism q : L ^ R, so that qol = r in QNET. 

2. A respecting Q-rule {p, q) is given by a rule p = {L < — K — > R) in NET 
and a Q-morphism q : R ^ L, so that qo r = I in QNET. 

The next theorem states that Q-morphisms are preserved by transformations. 

Theorem 1 (Induced Transformations and Pushouts in QNET). Let 
QNET be a supercategory of NET according to Definition 2. 

1. Given a preserving Q-rule {p,q) and a transformation G H in NET 
with an occurrence m G defined by the pushouts (1) and (2), there is 
a unique q' G Q, such that q' o g = h and q' o m = n o q in QNET. The 

transformation {G H,q' : G ^ H), or G H for short, is called 

Q-transformation. Moreover, R H G is pushout of G AT— L — ^ R 

in QNET. 

If morphisms in Q preserve some property 4> then we have the following: 

G \= (j> implies H \= (j>. 

2. Given a respecting Q-rule (p, q) and a transformation G H with an 
occurrence n G in NET defined by the pushouts (1) and (2), there is 
a unique q' G Q, such that q' o h = g and q' o n = m o q in QNET. The 

transformation (G H,q' : H ^ G), or G H for short, is called Q- 

R- transformation. Moreover, L G H is pushout of H R — ^ L 

in QNET. 

If morphisms in Q respect some property 4> then we have the following: 

G \= (j> implies H \= (j>. 
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The proof can he found in [Pad96]. 



Preserving and respecting transformations differ in the direction of Q-mor- 
phisms q,q' ■ The pushout squares (1) and (2) represent a transformation in the 
category NET (as in Definition 1). The Q-morphism g is a refinement/abstrac- 
tion morphism in QNET. The morphism q' is the induced morphism (according 
to Theorem 1) which belongs to the class of Q-morphisms in QNET as well. 

There are many other interesting results available in the general theory of 
HLR systems. The most important are Church-Rosser theorem, parallelism the- 
orem, and compatibility with horizontal structuring techniques (union and fu- 
sion). These results can be found in [EHKP91b,Pad96]. 



3 PB-Induced Transformations and System Redesign 

The Q-theory as discussed in previous section is very useful for enhancement of 
rule-based refinement by refinement/abstraction morphisms. But these refine- 
ment/abstraction morphisms may become quite complicated morphisms as in 
case of collapsing and abstracting morphisms published in [UP02,Urb02]. For 
many applications even the generalization of simple morphisms is of interest as 
in the case of generalized collapsing morphisms (see [Urb02,Urb03]). However, 
generalization of quite sophisticated morphisms may be tiring. Therefore, we try 
to develop new rule according to other rules such that some system properties 
will be preserved without explicit definition of Q-morphisms. 

In next paragraphs we will develop the concept of PB-induced rules which 
are related to D-concurrent rules published in [EHKP91b,EHKPP90]. Our PB- 
induced rules are a special case of D-concurrent rules when we use the trick that 
all rules in double pushout approach are symmetric. 

We will adopt the pullback construction to define induced rules and trans- 
formations. Further we will discuss property preservation under these rules and 
transformations . 

Our goal is to extend the existing commutative diagram of two property 
preserving Q-transformations below by another transformation N\ N 2 such 
that system properties will be kept unchanged and there is no explicit property 
preserving morphism from N\ to N 2 or vice versa. 

We will consider property respecting Q-rules in this section. Property pre- 
serving Q-rules are dealt with similarly. 
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For our approach we will consider HLR category satisfying HLR 2 conditions. 
HLR 2 conditions (see Definition 6 in Appendix A) are more restrictive than 
HLR conditions (see Definition 5 in Appendix A) but for practical cases they 
are satisfied by many categories of nets. 




We will construct new rule (and new transformation Ni N2) from two 
rules with the same left-hand side net as in definition below. 

Definition 4 (PB-Induced rules). Given two Q-rules r\ = (pi = (Li ^ 
I\ Rx),qi) and = {p2 = {Li <— l2 — > R2), 92) as below. 



91 



92 



Ri 




h 





I2 




We define a PB-induced rule pbind{ri,r2) as a rule 



Ri 



M 



Lq 



M 



R2 



where net (object) Lq is obtained by calculation of the pullback as below, 
and morphisms Lq ^ Ri, Lq ^ i?2 are obtained by composition of morphisms 
Lq ^ — > i?i and Lq ^ I2 ^ R2 as in the diagram below. 




Note that morphisms Lq I\ and Lq I2 are M -morphisms due to the 
inheritance of Ai morphisms under pullback (see Appendix A, Definition 5 part 
3) and that a composition of two A4 morphisms is an M. morphism when HLR2 
categories are considered. 
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Lemma 1 (PB-Induced Transformations). Consider two Q-transforma- 
tions N' iVi and N' ]V2 as in the diagram below. 



Ri 



N, 



91 

■h 



T 



92 

1-2 



M 


M 


M 


^ M 


{PO) 


{PO) 


{PO) 


{PO) 



i ?2 



Cl 

9l 



;7V' 



■7^ 



C2 

92 



■No 



Then there exists an induced PB -transformation Ni 
rule T3 = pbind{ri,r2): 



N2 according to the 




where Nq Ni and Nq N2 are defined via the pullback of C2 N' and 
Cl N' (see diagram below). 



M 



M 



■R2 



Ri 



M 



Ni 




■No 



Proof. The proof comprises following steps. 

1 . Lq,Nq and corresponding morphisms are defined as pullbacks in the diagram 
above. It has to be shown the existence of the morphism Lq Nq and the 
commutativity of the whole diagram. 

Due to universal property of the pullback Nq Ci and Nq C2 and exis- 
tence of composition morphisms Lq C2 and Lq C\ there exists a unique 
morphism Lq Nq such that the diagram commutes. 

2. The composition morphisms Lq Ri and Lq — > R2 are M -morphisms as 
HLR2 conditions guarantee that a class of M -morphisms is closed under 
composition. 
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3 . 

I 



Morphisms Nq Ci, Nq C 2 , Ci N' , and C 2 N' are in A4 due to 
HLR 1 condition 3 - Inheritance of Ai under pushouts (see Definition 5 in 
Appendix A). 

Due to condition 3 (Cube lemma) of HLR2 conditions (see Appendix A) the 
diagrams 




are pushouts. 

5. Due to closedness of a pushout construction under composition, the diagrams 




are pushouts. Therefore they form the requested transformation. 



The presented PB-induced rules and transformations can be constructed in 
HLR systems satisfying HLR2 conditions. 

Next we present an example of calculation of a PB-induced rule from two 
rules. The calculation of a PB-induced transformation from two given transfor- 
mations is analogous. 

Consider two rules in the Figure l(a),(b). The construction of a PB-induced 
rule starts with a calculation of a pullback as in the Figure 1(c). The final PB- 
induced rule according to the definition is obtained by composition of morphisms 
and is shown in the Figure 1(d). 

A special case of PB-induced rules and transformations is valid for HLR 
systems satisfying HLR conditions only. In this case not only left-hand side 
nets are the same but also both interface nets as in the diagram below. The 
constructed rule p = (i?i ^ h = h ^ R 2 ) and transformation Ni N 2 is a 
simple case of more general construction of PB-induced rules. 



Ri 



M 



h 



Cl 




i?2 



N2 



Theorem 2 (Preservation of Properties via PB-Transformations). Con- 
sider two Q-transformations Nq jVi and Ng JV 2 and the PB-induced 

transformation Ni N 2 as in the commuting diagram below. 
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(a) First rule 



(b) Second rule 




(c) Calculation of a pullback 




Fig. 1. Example of a calculation of a PB-induced rule 




If both Q transformations Nq dfid tVq N2 preserve and re- 

spect certain system property (j) then the PB-induced transformation Ni N2 
preserves and respects the system property (p, too. 

Proof. Both Q transformations preserve and respect the system property tp, i.e. 

Ni \= (p No \= (p 

N2 \= (p A^o 1 = 

As a logical conclusion of these two premises we get 

Ni \= (p N2 1 = (p 
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This corollary is important when new property preserving rules and trans- 
formations are built up from existing ones. 

The major advantage of PB-induced rules is that it is possible to build up 
new property preserving rules and transformations according to old ones without 
the explicit definition of a property preserving refinement morphism. This allows 
one to switch from one design concept to another without restarting design of 
the system from the origin and therefore to overcome the limitations of simple 
stepwise refinement. 

In general, more complex redesign rules than PB-induced rules could be 
constructed. Construction of PB-induced rules may assure preservation of system 
properties. If other redesign rules are used, then preservation of system properties 
has to be proven by other techniques. 



4 Example: Design and Redesign 
of Producers-Consnmers System 

We will illustrate our concept on an example of a Producers- Consumers system. 
Many variations of such systems can be found in producing lines or manufactur- 
ing processes. The Producers-Consumers system is a typical example of a system 
which is not bounded. The main analysis questions of the system concentrate 
on liveness. Analysis of liveness may reveal possible deadlocks in the behavior 
of the modeled system. A simple version of the Producers-Consumers system 
might look like the one in the Figure 2(a). There are two producing lines in- 
volved in the process of producing two parts needed for the final products. After 
producing these parts are assembled and delivered to the customer for being 
consumed. After the first abstract view of the system model designers usually 
focus on details of the system and try to refine it. During this refinement the 
techniques of hierarchical decomposition are employed. The focus is on methods 
preserving main properties of the modeled system. 

Here we are concerned with the liveness preservation of the refinement and 
we focus on the special case of transition refinement, one of the basic refinement 
techniques. In [GPU0I,Urb02] it has been shown that a special kind of transition 
refinement preserves and respects liveness of the net. We will not present formal 
definitions and theorems due to lack of space. They can be found in cited pa- 
pers. The liveness preserving transition refinement of nets is based on collapsing 
morphisms. These rules replace one transition by a certain kind of a live net 
called live in-out cycle. 

Figure 2(c) shows a transformation rule which refines the boldface transition 
on the left-hand side of the rule and replaces it by a more complex expression 
of the behavior of the system on the right-hand side. The boldface part of the 
right-hand side of the rule is a live in-out cycle. 

The idea of a transformation is that a left-hand side subnet (in our case 
Delivering) is mapped to an existing Petri net. Then, the image of this subnet 
is deleted except for the interface (the middle part of the rule, called also gluing 
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(c) A rule for transition refine- (d) Rule for redesign 

ment 




(e) Final system 



Fig. 2. Design and redesign of producers-consumers system 
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object) in the Petri net. The right-hand side {Packing & Delivering) of the rule 
is then glued to the interface which remains unchanged. 

In our example the refining step corresponds to the refinement of the product 
delivering phase into two phases. The first one is a packing phase, the other phase 
is proper delivering of a product. Packing involves two parallel subprocesses. At 
one particular moment exactly one product can be in the packing line. This 
condition is modeled by the marked place - Availability of the packing line. 

If we refine the boldface transitions in the Figure 2(a), we obtain the system 
in the Figure 2(b). There were three transitions in the system replaced according 
to the rule for transition refinement. This approach is often used in hierarchical 
decomposition modeling. 

Remember that one rule can be applied several times (in our case three 
times). This fact is one of the main advantages of the rule-based approach. The 
transformation is described as fully local and the application therefore does not 
depend on the other parts of the net. 

Liveness preserving transformations are limited to the refinement of transi- 
tions by live in-out cycles. Live in-out cycles are quite restricted live nets. This 
approach has been generalized in [Urb02] . In this paper so-called live boxes are 
admitted for transition refinement. In both cases it is possible to replace one 
transition by a subnet only. It is impossible to replace subnet by subnet. Us- 
ing results from Section 3, replacement of one live in-out cycle (or live box) by 
another is possible. Even such a change guarantees preservation of liveness. For 
more details see [Urb02,Urb03]. Thus, the rule in Figure 2(d) is liveness preserv- 
ing rule as boldface parts on left- and right-hand side are live in-out cycles. This 
rule allows changing parallel process of packing and delivering into sequential 
process. The redesign of the consumer 3 according to this rule yields the final 
net in Figure 2(e). 

All nets in Figures 2(a),(b),(e) are live in the sense that every transition 
can become enabled from any reachable marking of the net. Liveness of the 
abstract place/transition system Producers-Consumers system in Figure 2(a) 
has to be proven by standard techniques. Liveness of the designed system in 
Figure 2(b) can be deduced easily by employing results from [GPU01,UP02]. 
The liveness of the net in Figure 2(e) can be induced from results in Section 3 
and in [Urb02,Urb03]. 

The use of liveness preserving transformations guarantees the refined system 
to be live if the original system was. 



5 Conclusion 

The application of rule-based approach to stepwise development of systems has 
been presented in this paper. We introduced so-called PB-induced rules and 
transformations which are built as a combination of two other rules and trans- 
formations. We have shown that PB-induced transformations may be liveness 
preserving. We have demonstrated usability of this approach on the design and 
redesign of a simple live producers-consumers system. 
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The PB-induced transformation can replace one live in-out cycle by another 
while preserving liveness. This is a great advantage for system designers. They 
need not to refine the system stepwise only. They can choose certain part of 
a system and redesign it when necessary. The behavioral properties (liveness 
in this example) remain unchanged. This avoids the tedious total redesign of 
the system, understanding the old parts of the code, unnecessary costs of new 
development, etc. The presented concept can be applied to HLR systems in 
general, not only to Petri net based HLR systems as presented here. 

Moreover, this approach can be applied to other system models having certain 
property, even if the models were not build up in a rule-based way. 
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A HLR Conditions 

In this appendix the formal definitions of HLR and HLR2 conditions are given. 
Definition 5 (HLR Conditions). Given a category NET (of nets) and a 
distinguished class A4 of morphisms in NET the following conditions 1-7 are 
called HLR- conditions: 

1. Existence of Ai-pushouts 

For objects A,B,C and morphisms C ^ A ^ B, where at least one is in A4 
there exists a pushout C ^ D ^ B . 

2. Existence of AA -pullbacks 

For objects B,C,D and morphisms B ^ D, C ^ D as in diagram (1) below, 
where both morphisms are in A4 there exists a pullback C ^ A ^ B . 

3. Inheritance of AA 

(a) For each pushout diagram (1) as below the morphism A ^ B G A4 
implies C ^ D G AA. 

(b) For each pullback diagram (1) as below the morphism B ^ D G AA and 
C ^ D G AA implies A ^ B G AA and A ^ C G AA. 

4- Existence of binary coproducts and compatibility with AA 

(a) For each pair of objects A, B there is a coproduct A-\-B with the universal 
morphisms A —>■ A -\- B and B A -\- B . 

(b ) For each pair of morphisms A A' and B — ^ B' in AA the coproduct 

morphism A-\- B A' -h B' is also in AA. 

5. Existence of coequalizers 
NET has coequalizers. 

6. AA-pushouts are pullbacks 

Pushouts of AA -morphisms are pullbacks. 

1. AA -pushout-pullback-decomposition 

For each diagram below, we have: If (1+2) is a pushout , (2) is a pullback 
and A^C,B^D,E^F,B^E and D ^ F are AA -morphisms, then 
also (1) is a pushout. 



( 1 ) 



( 2 ) 



Definition 6 (HLR2 Conditions). Given a category NET (of nets) and a 
distinguished class AA of morphisms in NET the following conditions 1-3 are 
called HLR2 conditions: 

1. HLR-Gonditions (see Def. 5). 

2. AA-Morphisms are closed under composition and isomorphisms 

(a) Given morphisms A ^ B and B ^ C in AA then A ^ B ^ C is in AA. 

(b) Each NFiT -isomorphism is in AA. 
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3. Cube-pushout-pullback lemma 
Given a commutative cube: 




where all morphisms in the top- and bottom diagrams are in A4, the top 
diagram is a pullback, and front and right diagrams are pushouts then we 
have: 

The bottom diagram is a pullback if and only if the back and left diagrams 
are pushouts. 
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